Mobile IPv6 Extensions Group                                     F. Zhao
Internet-Draft                                                 S. Faccin
Expires: January 7, 2009                                        A. Damle
                                                                 Marvell
                                                            July 6, 2008


              IKEv2 based Mobile Network Prefix Assignment
                      draft-zhao-mext-mnp-ikev2-00

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on January 7, 2009.

















Zhao, et al.             Expires January 7, 2009                [Page 1]

Internet-Draft                MNP Assigment                    July 2008


Abstract

   This document proposes a mechanism for the Mobile Router to
   dynamically obtain the Mobile Network Prefix through IKEv2.  The
   mechanisms to renew, release and update the allocated Mobile Network
   Prefixes are also described.


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  3
   3.  New Attribute Format . . . . . . . . . . . . . . . . . . . . .  4
   4.  Mobile Network Prefix Assignment . . . . . . . . . . . . . . .  6
   5.  Mobile Network Prefix Management . . . . . . . . . . . . . . .  8
     5.1.  Renewing the Mobile Network Prefix . . . . . . . . . . . .  8
     5.2.  Releasing the Mobile Network Prefix  . . . . . . . . . . .  8
     5.3.  Updating the Mobile Network Prefix . . . . . . . . . . . .  9
   6.  Security Consideration . . . . . . . . . . . . . . . . . . . . 10
   7.  IANA Consideration . . . . . . . . . . . . . . . . . . . . . . 10
   8.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12
   Intellectual Property and Copyright Statements . . . . . . . . . . 13




























Zhao, et al.             Expires January 7, 2009                [Page 2]

Internet-Draft                MNP Assigment                    July 2008


1.  Introduction

   With the specification of the Network Mobility (NEMO) Basic Support
   Protocol defined in RFC 3963 [1], a Mobile Router needs to advertise
   an IPv6 prefix, called the Mobile Network Prefix, on the link
   associated with the Mobile Network in order for the Mobile Network
   Nodes to perform IP address configuration and thus obtain IP
   connectivity.  Static configuration of the Mobile Network Prefix on
   the Mobile Router is inefficient, especially when the Mobile Networks
   are to be deployed at a large scale.  However, the NEMO Basic Support
   protocol [1] does not specify a dynamic Mobile Network Prefix
   assignment mechanism for the Mobile Router.

   Besides the Mobile Network Prefix, the Mobile Router needs its Home
   Agent address, its Home Address, and the necessary information (such
   as IPsec security associations) shared with the Home Agent to protect
   signaling and/or data traffic, when it powers up and uses the NEMO/
   DSMIPv6 protocol to obtain network connectivity.  The procedure for
   the Mobile Node to obtain such information is called bootstrapping
   [2] in the context of Mobile IPv6.  Bootstrapping solutions [3] [4]
   are proposed for both split and integrated scenarios, such as Home
   Agent discovery via DHCP or DNS and Home Address assignment via
   IKEv2.  In order to reduce complexity and costs of implementation, it
   is desired that the components of the Mobile IPv6 bootstrapping
   mechanism are re-used as much as possible for NEMO Mobile Router
   bootstrapping.

   In this document, we propose that the Mobile Router obtains the
   Mobile Network Prefix through IKEv2, i.e. using the same message
   exchange for the Home Address assignment.  In addition, we describe
   mechanisms to renew, release and update the allocated Mobile Network
   Prefix.


2.  Terminology

   The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [5].

   Mobility terminology used throughout this document is defined in [6],
   [7] and [8].









Zhao, et al.             Expires January 7, 2009                [Page 3]

Internet-Draft                MNP Assigment                    July 2008


3.  New Attribute Format

   We propose a new IKEv2 Configuration Attribute, called
   MOBILE_NETWORK_PREFIX6.  This attribute is carried in the IKEv2
   Configuration Payload and is used to convey an IPv6 Mobile Network
   Prefix between the Mobile Router and the Home Agent.  Figure 1 shows
   the format of the MOBILE_NETWORK_PREFIX6 Configuration Attribute.

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |R|      Attribute Type         |           Length              |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                         Prefix Lifetime                       |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                                                               |
       |                  IPv6 Mobile Network Prefix                   |
       |                                                               |
       |                                                               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       | Prefix Length |
       +-+-+-+-+-+-+-+-+

       Figure 1: The format of the MOBILE_NETWORK_PREFIX6 attribute

      Reserved (1 bit)

         This bit MUST be set to zero and MUST be ignored on receipt.

      Attribute Type (15 bits)

         A unique identifier for the MOBILE_NETWORK_PREFIX6 attribute
         (to be determined by IANA).

      Length (2 octets)

         Length in octets of fields, including IPv6 Mobile Network
         Prefix, Prefix Lifetime and Prefix Length.  This can be 0 or
         21.

      Prefix Lifetime (4 octets)

         The length of time period during which the Mobile Network
         Prefix remains valid.  This should not be longer than the
         lifetime of the IKE security association used when the Mobile
         Network Prefix is assigned to the Mobile Router.





Zhao, et al.             Expires January 7, 2009                [Page 4]

Internet-Draft                MNP Assigment                    July 2008


      IPv6 Mobile Network Prefix (16 octets)

         The IPv6 Mobile Network Prefix to be advertised to the Mobile
         Network.

      Prefix Length (1 octet)

         The length in bits of the Mobile Network Prefix specified in
         the IPv6 Mobile Network Prefix field.

   When the Mobile Router requests a new Mobile Network Prefix, the
   Mobile Router includes the MOBILE_NETWORK_PREFIX6 attribute in the
   CFG_REQUEST payload and the value of the Length field is zero or the
   IPv6 Mobile Network Prefix field is set as zero.  The Mobile Router
   may indicate the preferred Mobile Network Prefix in this attribute
   and the Home Agent should return the indicated Mobile Network Prefix,
   if available.  The Mobile Router may explicitly request a lifetime by
   specifying a value in the Prefix Lifetime field.  Such value must not
   be zero if the Mobile Router specifies a preferred Mobile Network
   Prefix and is set as 2^32-1 if the Mobile Router wants the assigned
   Mobile Network Prefix remains valid for the lifetime of the IKEv2
   security association.  The Mobile Router may request multiple Mobile
   Network Prefixes by using multiple MOBILE_NETWORK_PREFIX6 attributes
   in one IKEv2 request message.

   If such request from the Mobile Router is valid, the Home Agent
   includes the MOBILE_NETWORK_PREFIX6 attribute in the CFG_REPLY
   payload and sends it back to the Mobile Router in one IKEv2 response
   message.  The attribute contains the allocated Mobile Network Prefix
   and the lifetime authorized by the Home Agent.  If the Mobile Router
   requests multiple Mobile Network Prefixes in one IKEv2 request
   message, the Home Agent should return multiple Mobile Network
   Prefixes by using multiple MOBILE_NETWORK_PREFIX6 attributes in one
   IKEv2 response message.

   There are different mechanisms for the Home Agent to allocate the
   Mobile Network Prefix.  For example, the Home Agent may manage a pool
   of network prefixes by itself or communicate with a DHCP server
   located in the home domain for this task.  The details of such
   mechanisms are out of scope of this document.











Zhao, et al.             Expires January 7, 2009                [Page 5]

Internet-Draft                MNP Assigment                    July 2008


4.  Mobile Network Prefix Assignment

   When the Mobile Router powers up, based on its configuration or some
   mechanisms that are out of scope of this document, the Mobile Router
   may choose hosted based mobility protocols, such as DSMIPv6/NEMO, to
   set up network connectivity.  Figure 2 shows the steps performed by
   the Mobile Router during bootstrapping.

          MR                      Access network                      HA
          |                            |                            |
          | IP address configuration   |                            |
          |<-------------------------->|                            |
          |                            |                            |
          | Home Agent discovery       |                            |
          |<-------------------->      |                            |
          |                            |                            |
          | IKE_SA_INIT{...}                                        |
          |<------------------------------------------------------->|
          |                                                         |
          | IKE_AUTH{CFG_REQUEST(HoA/HNP, MNP)}                     |
          |-------------------------------------------------------->|
          |                                                         |
          | IKE_AUTH{CFG_REPLY(HoA/HNP, MNP)}                       |
          |<--------------------------------------------------------|
          |                                                         |
          | BU/BA                                                   |
          |<------------------------------------------------------->|
          |                                                         |

    Figure 2: The procedure of the Mobile Network Prefix assignment via
                                   IKEv2

   o  When attaching to a new link, the Mobile Router configures an IP
      address on its interface that attaches to this link, for example,
      by performing IP address stateless configuration using Router
      Solicitation and Router Advertisement messages.

   o  The Mobile Router discovers the IP address of the Home Agent, for
      example, by using mechanisms defined in [6] [3] and [4].

   o  The Mobile Router starts to establish a security association and
      firstly completes the IKE_SA_INIT exchange with the discovered
      Home Agent.

   o  During the IKE_AUTH exchange, in addition to a Home Address or
      Home Network Prefix, the Mobile Router also requests a Mobile
      Network Prefix from the Home Agent by including the
      MOBILE_NETWORK_PREFIX6 attribute in the CFG_REQUEST payload.



Zhao, et al.             Expires January 7, 2009                [Page 6]

Internet-Draft                MNP Assigment                    July 2008


   o  The Home Agent verifies this request based on its policy and
      configuration.  If this request is valid, the Home Agent allocates
      a Mobile Network Prefix in addition to a Home Address or Home
      Network Prefix.  The information regarding the allocated Mobile
      Network Prefix, including the lifetime, is carried in the
      MOBILE_NETWORK_PREFIX6 attribute and sent back to the Mobile
      Router.  The Mobile Router configures the Home Address and the
      Mobile Network Prefix based on the received CFG_REPLY payload.

   o  If the Mobile Router attaches to its home link (the details of the
      home link detection mechanism is out of scope of this document),
      the Mobile Router does not perform binding registration with the
      Home Agent.  Otherwise, the Mobile Router follows the procedure
      specified in the NEMO Basic Support Protocol [1] to register the
      binding between its Care-of address and its Home Address and the
      Mobile Network Prefix with the Home Agent.  In addition to an
      IPSec security association to protect mobility signaling messages,
      the Mobile Router may negotiate an IPSec child security
      association with the Home Agent to protect the data traffic
      from/to itself and the Mobile Network Nodes.































Zhao, et al.             Expires January 7, 2009                [Page 7]

Internet-Draft                MNP Assigment                    July 2008


5.  Mobile Network Prefix Management

   After the Mobile Router obtains the Mobile Network Prefix, in the
   most common case, the Mobile Network Prefix is used until the current
   IKEv2 security association expires or is explicitly deleted or re-
   authenticated, i.e. the Mobile Network Prefix is valid through the
   lifetime of the IKEv2 security association.  In this case, either the
   Mobile Router or the Home Agent can initiate the procedure to renew,
   release and update the allocated Mobile Network Prefix by performing
   operations, such as rekeying or re-establishing the IKEv2 security
   association as specified in the IKEv2 protocol [9].

   On the other hand, with the Informational Exchange already defined in
   the IKEv2 protocol [9], an allocated Mobile Network Prefix can also
   be renewed, released and updated while the IKEv2 security association
   is still valid.  Such Informational Exchange is protected by the
   IKEv2 security association.

   In the following, we focus on mechanisms for renewing, releasing and
   updating the Mobile Network Prefix in the second case.

5.1.  Renewing the Mobile Network Prefix

   When the lifetime of the allocated Mobile Network Prefix is about to
   expire, the Mobile Router needs to extend the lifetime of the Mobile
   Network Prefix, if it still wants to use the same Mobile Network
   Prefix.  Otherwise, if the Home Agent does not receive any renewal
   request before expiration, the Home Agent will recycle the expired
   Mobile Network Prefix for re-allocation later.

   The renewal procedure is usually initiated by the Mobile Router.  To
   renew a Mobile Network Prefix, the Mobile Router initiates the IKEv2
   Informational Exchange with the Home Agent and includes the Mobile
   Network Prefix to be renewed and a new lifetime in the CFG_REQUEST
   payload.  If such request is valid, the Home Agent sends back the
   same Mobile Network Prefix with the authorized lifetime in the CFG-
   REPLY payload to the UE.

5.2.  Releasing the Mobile Network Prefix

   The Mobile Network Prefix release procedure can be initiated by
   either the Mobile Router or the Home Agent.

   To release an allocated Mobile Network Prefix, the Mobile Router
   initiates the IKEv2 Informational Exchange with the Home Agent.  In
   the CFG_REQUEST payload carried in the IKEv2 request message, the
   Mobile Router includes the Mobile Network Prefix to be released and
   the lifetime set as zero in the MOBILE_NETWORK_PREFIX6 attribute.  As



Zhao, et al.             Expires January 7, 2009                [Page 8]

Internet-Draft                MNP Assigment                    July 2008


   a reply, the Home Agent returns a CFG_REPLY payload indicating the
   released Mobile Network Prefix and the lifetime set as zero.

   To release an allocated Mobile Network Prefix, the Home Agent can
   also initiate the IKEv2 Informational Exchange with the Mobile
   Router.  In the IKEv2 Informational Exchange message sent to the
   Mobile Router, the Home Agent uses the CFG_REQUEST payload to carry
   the MOBILE_NETWORK_PREFIX6 attribute that indicates the Mobile
   Network Prefix to be released and the lifetime set as zero.  When the
   Mobile Router receives such IKEv2 request message, it removes the
   corresponding configuration and replies with a CFG_REPLY payload to
   carry the MOBILE_NETWORK_PREFIX6 attribute that indicates the
   released Mobile Network Prefix and the lifetime set as zero.  When
   the Home Agent receives this responses, it recycles the released
   Mobile Network Prefix.

5.3.  Updating the Mobile Network Prefix

   The Mobile Network Prefix update procedure can be initiated by either
   the Mobile Router or the Home Agent.

   One way to perform the Mobile Router initiated Mobile Network Prefix
   update procedure is that the Home Agent returns a different Mobile
   Network Prefix when the Mobile Router requests to renew a Mobile
   Network Prefix.  Another way is that the Mobile Router indicates the
   release of the old Mobile Network Prefix and the request of a new
   Mobile Network Prefix by using two separate MOBILE_NETWORK_PREFIX6
   attributes in one CFG_REQUEST payload.  The Home Agent should return
   a new Mobile Network Prefix and confirm the release of the old Mobile
   Network Prefix by using two separate MOBILE_NETWORK_PREFIX6
   attributes in one CFG_REPLY payload.

   To perform the Home Agent initiated Prefix update procedure, the Home
   Agent indicates the release of the old Mobile Network Prefix and the
   assignment of a new Mobile Network Prefix by using two separate
   MOBILE_NETWORK_PREFIX6 attributes in one CFG_REQUEST payload.  In
   this case, the Mobile Node should confirm the assignment of the new
   Mobile Network Prefix and the release of the old Mobile Network
   Prefix by using two separate MOBILE_NETWORK_PREFIX6 attributes in one
   CFG_REPLY payload.











Zhao, et al.             Expires January 7, 2009                [Page 9]

Internet-Draft                MNP Assigment                    July 2008


6.  Security Consideration

   This document describes the use of a new IKEv2 Configuration
   Attribute to assign the Mobile Network Prefix to the Mobile Router.
   The security issues related to the IKEv2 protocol are discussed in
   the "Security Considerations" section of the Internet Key Exchange
   (IKEv2) Protocol [9].  This document does not introduce any
   additional security considerations related to such IKEv2 message
   exchange.

   When the Mobile Router requests a Mobile Network Prefix from the Home
   Agent during the IKEv2 message exchange, in addition to verifying the
   identity of the Mobile Router, the Home Agent must also verify
   whether the Mobile Router is eligible to request a Mobile Network
   Prefix, based on the Mobile Router's profile and network policies.
   This is because the policy of the home network operator may not allow
   the Mobile Router to request the Mobile Network Prefix from a Home
   Agent located in the certain roaming domain.  Such verification can
   be performed as a part of IKEv2 authentication process, for example,
   by checking the Mobile Router's profile after authenticating the
   identity of the Mobile Router and associated credentials using
   certain authentication protocols (e.g.  EAP).

   The NEMO Basic Support protocol [1] requires that the Home Agent
   check if a Mobile Network Prefix received in a Binding Update message
   is authorized to be used.  To do so, the Home Agent can associate the
   mobile node identity used in the IKEv2 authentication process with
   the Home Network Prefix allocated.

   In some deployment, the Home Agent itself manages the allocation of
   Mobile Network Prefixes, for example, from a locally managed prefix
   pool.  It is also possible that additional back-end servers are used
   for Mobile Network Prefix assignment.  For example, the Home Agent
   can act as a DHCP Requesting Router and interact with a DHCP
   Delegating Router.  The security mechanism protecting the interaction
   between the Home Agent and such back-end servers could be generic
   security mechanisms, such as IPSec, or specific to the protocols used
   in between, such as DHCP authentication option.  Once allocated, the
   Mobile Network Prefix must not be assigned to a different Mobile
   Router until such Mobile Network Prefix is returned to the Home
   Agent.


7.  IANA Consideration

   This document defines one new IKEv2 Configuration Attribute Type,
   MOBILE_NETWORK_PREFIX6.  The value of such type is expected to be
   assigned from the "IKEv2 Configuration Payload Attribute Types"



Zhao, et al.             Expires January 7, 2009               [Page 10]

Internet-Draft                MNP Assigment                    July 2008


   namespace [9] by IANA.


8.  References

   [1]   Devarapalli, V., Wakikawa, R., Petrescu, A., and P. Thubert,
         "Network Mobility (NEMO) Basic Support Protocol", RFC 3963,
         January 2005.

   [2]   Patel, A. and G. Giaretta, "Problem Statement for Bootstrapping
         Mobile IPv6 (MIPv6)", RFC 4640, September 2006.

   [3]   Giaretta, G., Kempf, J., and V. Devarapalli, "Mobile IPv6
         Bootstrapping in Split Scenario", RFC 5026, October 2007.

   [4]   Chowdhury, K. and A. Yegin, "MIP6-bootstrapping for the
         Integrated Scenario",
         draft draft-ietf-mip6-bootstrapping-integrated-06, April 2008.

   [5]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
         Levels", RFC 2119, March 1997.

   [6]   Johnson, D., Perkins, C., and J. Arkko, "Mobility Support in
         IPv6", RFC 3775, June 2004.

   [7]   Manner, J. and M. Kojo, "Mobility Related Terminology",
         RFC 3753, June 2004.

   [8]   Ernst, T. and H-Y. Lach, "Network Mobility Support
         Terminology", RFC 4885, July 2007.

   [9]   Kaufman, C., "Internet Key Exchange (IKEv2) Protocol",
         RFC 4306, December 2005.

   [10]  Devarapalli, V. and F. Dupont, "Mobile IPv6 Operation with
         IKEv2 and the Revised IPsec Architecture", RFC 4877,
         April 2007.

   [11]  Hinden, R. and S. Deering, "IP Version 6 Addressing
         Architecture", RFC 4291, February 2006.

   [12]  Ernst, T., "Network Mobility Support Goals and Requirements",
         RFC 4886, July 2007.

   [13]  Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and M.
         Carney, "Dynamic Host Configuration Protocol for IPv6
         (DHCPv6)", RFC 3315, July 2003.




Zhao, et al.             Expires January 7, 2009               [Page 11]

Internet-Draft                MNP Assigment                    July 2008


   [14]  Troan, O. and R. Droms, "IPv6 Prefix Options for Dynamic Host
         Configuration Protocol (DHCP) version 6", RFC 3633,
         December 2003.


Authors' Addresses

   Fan Zhao
   Marvell Semiconductor, Inc.
   5488 Marvell Lane
   Santa Clara, CA  95054
   US

   Email: fanzhao@marvell.com


   Stefano Faccin
   Marvell Semiconductor, Inc.
   5488 Marvell Lane
   Santa Clara, CA  95054
   US

   Email: smfaccin@marvell.com


   Ameya Damle
   Marvell Semiconductor, Inc.
   5488 Marvell Lane
   Santa Clara, CA  95054
   US

   Email: adamle@marvell.com



















Zhao, et al.             Expires January 7, 2009               [Page 12]

Internet-Draft                MNP Assigment                    July 2008


Full Copyright Statement

   Copyright (C) The IETF Trust (2008).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.











Zhao, et al.             Expires January 7, 2009               [Page 13]