The IETF (Internet Engineering Task Force) is evaluating specifications for Mobile IPv6 (Ref. Mobility Support in IPv6 <draft-ietf-mobileip-ipv6-19.txt>, Work in Progress).
The elements comprising the Mobile IPv6 network are a mobile node (MN), a home agent (HA), and correspondent node (CN).
The MN is assigned an IP address (home address) that does not change even if the MN moves. A link possessing a prefix identical to the home address is called a home link. The HA manages MN location information (binding cache) in locations other than the home link.
The MN acquires a Care of Address (hereafter CoA) for links other than the home link. The MN that is not within the home link receives router reports (advertisements) sent periodically by a router within the visited link. The MN senses movement by detecting a prefix different from the home address and generates a CoA. The MN registers (stores) information linking the CoA and home address within the HA.
The MN contains a home agent address discovery function (function for finding the HA address) and may actively search for the IP address of the HA. The MN first of all creates a Mobile IPv6 Home-Agents Anycast Address from the prefix of the home link. The MN sends an ICMP Home Agent Address Discovery Request to the address destination. This signal is received by one of the home link HA. The HA that received the signal sends an ICMP Home Agent Address Discovery Reply containing information on the HA to the MN. The MN extracts the HA information from this signal and acquires the HA address. The MN sends a binding update for that HA address.
The HA receives the binding update and stores the MN location information in the binding cache.
In order to function as a proxy for the MN, the HA sends a neighbor advertisement addressed to all-nodes multicast addresses of the home link. The node that received that neighbor advertisement, stores information linking the MN home address and HA link layer address, in the neighbor cache. The HA captures the packet addressed to the home address of the MN.
Mobile IPv6 contains a function to notify MN outside the home link, of home network prefix information. For example, if the prefix of the home network has been changed, the HA refers (searches) the binding cache and reports the prefix information (makes a mobile prefix advertisement) to the MN among the registered positions. The MN may also make a request to the HA for prefix information (mobile prefix solicitation).
The IP Security Protocol (IPsec) is the focus of attention as a technology for achieving security on the IP network. This IPsec is a technology for safely conveying IP packets by utilizing encryption technology and certification technology. Mobile IPv6 is applying this IPsec technology in the sending of location registration signals (binding updates) from the MN to the HA (Ref. draft-ietf-mobileip-mipv6-ha-ipsec-01.txt, Work in Progress).
This IPsec technology provides a security function by creating an SA (security association) among the devices using IPsec. The devices utilizing IPsec contain a SPD (security policy database) and an SAD (security association database).
The security policy database (SPD) specifies the method for processing the packets. The security association database (SAD) is a list of SA (security associations) held in the devices using IPsec. The SA is identified by a SPI (Security Parameters Index).
The method for creating the SA includes a manual setting method and an automatic creation method. The IKE (Internet Key Exchange) is a protocol for automatically creating and managing these SA. The IKE automatically generates the SA by making use of a proposal exchange function, a function to generate a secret key, and a certification function for IKE correspondent nodes.
Certification methods specified for IKE correspondent nodes are the Pre-shared key authentication method, public key certification method, digital signature authentication method, etc. The digital signature authentication method is highly flexible since it need not share key information beforehand with the other communication party (or correspondent node). The digital signature certification method is used by the CA (Certification Authority) for issuing public key certifications. The format for public key certification is the specified in X. 509.
The CMP (Certificate Management Protocol) is a protocol for issuing and managing electronic certifications. The CMP is specified in IETF RFC2510. The CMP is utilized in transport protocols in HTTP (HyperText Transfer Protocol) and TCP (Transmission Control Protocol).
One technology proposed for localized mobility management based on Mobile IPv6 is Hierarchial Mobile IPv6 mobility management (HMIPv6) (Ref. draft-ietf-mobileip-hmipv6-07.txt, Work in Progress). This HMIPv6 contains a MAP (Mobile Anchor Point) between the HA and MN. The MN receives a router advertisement containing MAP options from the AR (Access Router), acquires the MAP IP address, and generates a RCOA (Regional Care of Address) and LCoA (On-link CoA). The MN compatible with HMIPv6 registers location information in the MAP and HA. The MAP manages the binding information of the MN RCoA and LCoA. The HA manages the binding information of the MN home address and RCoA. The MN only rewrites (updates) the MAP location information when the MN has moved within the MAP.
The IETF is currently evaluating IPv6 Prefix Delegation Options for DHCPv6 (hereafter, DHCP-PD) (draft-ietf-dhc-dhcpv6-opt-prefix-delegation-01.txt, Work in Progress). The DHCP-PD is a function making use of DHCP (Dynamic Host Configuration Protocol) to assign IPv6 prefixes (group) to sites from the address assignment side.
The elements comprising the DHCP-PD are the delegating router and the requesting router. The requesting router asks the delegating router to assign an IPv6 prefix (group). The delegating router selects an IPv6 prefix (group) and sends that to the requesting router. The DHCP-PD for example, is utilized by the ISP (Internet Service Provider) when assigning prefixes to subscribers.
In a communication system mutually connected to both a zone A and zone B, when a mobile node (MN) belonging to zone A has moved to zone B, that MN registers its location in the HA of zone A. The location registration signal (binding update signal) is then subjected to IPsec processing.
The related art has the problem that security cannot be maintained when manually setting the SA (security association) for the HA and MN, and information about the key used in encryption has leaked out. Also, using the Mobile IPv6 prefix report (advertise) function and HA address discovery function will change the home address of the MN or HA address. The method for manually setting the SA between the MN and HA is therefore not practical during system operation. There is also no means for currently verifying on Mobile IP if the MN is genuine.