Downloads |
Table Of Contents
Enabling Foreign Agent Services
Monitor and Maintain Mobile IP
Home Agent Configuration Example
Home Agent Using AAA Server Example
Foreign Agent Configuration Example
ip mobile registration-lifetime
Mobile IP
Feature Summary
As PDAs and the next generation of data-ready cellular phones become more widely deployed, a greater degree of connectivity is almost becoming a necessity for the business user on the go. Data connectivity solutions for this group of users is a very different requirement than it is for the fixed dialup user or the stationary wired LAN user. Solutions here need to deal with the challenge of movement during a data session or conversation. Cellular service providers and network administrators wanting to deploy wireless LAN technologies need to have a solution which will grant this greater freedom.
Cisco IOS has integrated new technology into our routing platforms to meet these new networking challenges. Mobile IP is a tunneling-based solution which takes advantage of the Cisco-created GRE tunneling technology, as well as simpler IP-in-IP tunneling protocol. This tunneling enables a router on a user's home subnet to intercept and transparently forward IP packets to users while they roam beyond traditional network boundaries. This solution is a key enabler of wireless mobility, both in the wireless LAN arena, such as the 802.11 standard, and in the cellular environment for packet-based data offerings which offer connectivity to a user's home network and the Internet.
Mobile IP provides users the freedom to roam beyond their home subnet while consistently maintaining their home IP address. This enables transparent routing of IP datagrams to mobile users during their movement, so that data sessions can be initiated to them while they roam; it also enables sessions to be maintained in spite of physical movement between points of attachment to the Internet or other networks. Cisco's implementation of Mobile IP is fully compliant with the Internet Engineering Task Force's (IETF's) proposed standard defined in Request for Comments (RFC) 2002.
Benefits
Mobile IP is most useful in environments where mobility is desired and the traditional land line dial-in model or DHCP do not provide adequate solutions for the needs of the users. If it is necessary or desirable for a user to maintain a single address while they transition between networks and network media, Mobile IP can provide them with this ability. Generally, Mobile IP is most useful in environments where a wireless technology is being utilized. This includes cellular environments as well as wireless LAN situations that may require roaming. Mobile IP can go hand in hand with many different cellular technologies like CDMA, TDMA, GSM, AMPS, NAMPS, as well as other proprietary solutions, to provide a mobile system which will scale for many users.
Each mobile node is always identified by its home address, no matter what its current point of attachment to the Internet, allowing for transparent mobility with respect to the network and all other devices. The only devices which need to be aware of the movement of this node are the mobile device and a router serving the user's topologically correct subnet.
List of Terms
agent discovery—The method by which a mobile node determines whether it is currently connected to its home network or a foreign network and detects whether it has moved and the way it has moved. It is the mechanism by which mobile nodes query and discover mobility agents. This is done is through an extension of the ICMP router discovery protocol, IRDP (RFC 1256),which includes a mechanism to advertise mobility services to potential users.
care-of address—The termination point of the tunnel to a mobile node. This can be a collocated care-of address, where the mobile node acquires a local address and detunnels its own packets, or a foreign agent care-of address, where a foreign agent detunnels packets and forwards them to the mobile node.
correspondent node—A peer with which a mobile node is communicating. A correspondent node may be either stationary or mobile.
foreign agent—A router on a mobile node's visited network which provides routing services to the mobile node while registered. The foreign agent detunnels and delivers datagrams to the mobile node that were tunneled by the mobile node's home agent. For datagrams sent by a mobile node, the foreign agent may serve as a default router for registered mobile nodes.
home address—An IP address that is assigned for an extended time to a mobile node. It remains unchanged regardless of where the node is attached to the Internet.
home agent—A router on a mobile node's home network which tunnels packets to the mobile node while it is away from home. It keeps current location information for registered mobile nodes called a mobility binding.
home network—The network or virtual network which matches the subnet address of the mobile node.
mobile node—A host or router that changes its point of attachment from one network or subnet to another. A mobile node may change its location without changing its IP address; it may continue to communicate with other Internet nodes at any location using its home IP address, assuming link-layer connectivity to a point of attachment is available.
mobility agent—A home agent or a foreign agent.
mobility binding—The association of a home address with a care-of address and the remaining lifetime.
mobility security association—A collection of security contexts between a pair of nodes, which may be applied to Mobile IP protocol messages exchanged between them. Each context indicates an authentication algorithm and mode, a secret (a shared key or appropriate public/private key pair), and a style of replay protection in use.
MTU—Maximum transmission unit. Maximum packet size, in bytes, that a particular interface can handle.
node—A host or router.
registration—The process by which the mobile node is associated with a care-of address on the home agent while it is away from home. This may happen directly from the mobile node to the home agent or through a foreign agent.
security parameter index (SPI)—The index identifying a security context between a pair of nodes.
tunnel—The path followed by a datagram while it is encapsulated from the home agent to the mobile node.
virtual network—A network with no physical instantiation beyond a router (with a physical network interface on another network). The router (a home agent, for example) generally advertises reachability to the virtual network using conventional routing protocols.
visited network—A network other than a mobile node's home network, to which the mobile node is currently connected.
visitor list—The list of mobile nodes visiting a foreign agent.
Platforms
This feature is supported on these platforms:
•
Cisco 2500 Series
•
•
•
•
•
•
•
Prerequisites
To configure home agent functionality on your router, you need to determine IP addresses or subnets for which you would like to allow roaming service. If you intend to support roaming without having a physical home location for the roaming devices, you need to identify the subnets for which you will allow this service and place these virtual networks appropriately within your network on the home agent. It is possible to enable home agent functionality for a homed or non-homed subnet. In the case of non-homed addresses, it is necessary to define virtual networks on the router. Mobile IP Home Agent and Foreign agent services can be configured on the same router or on separate routers to enable Mobile IP service to users.
Since Mobile IP requires support on the host device, it is necessary that each mobile node is appropriately configured for the desired Mobile IP service. Please refer to the manual entries in your mobile aware IP stack vendor's documentation for details on this.
Supported MIBs and RFCs
This feature supports the following MIBs:
•
For descriptions of supported MIBs and how to use MIBs, see Cisco's MIB website on CCO at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
This feature supports the following RFCs:
•
•
•
Configuration Tasks
To enable Mobile IP services on your network, you need to determine not only which home agents will facilitate the tunneling for selected IP address, but also where these devices or hosts will be allowed to roam. The areas, or subnets, into which the hosts will be allowed to roam will determine where Foreign Agent services need to be set up.
To configure Mobile IP, complete the following tasks as related to the functions you intend to support.
Enabling Home Agent Services
Home Agent functionality is useful within an enterprise network to allow users to retain an IP address while they move their laptop PCs from their desktops into conference rooms or labs or common areas. It is especially beneficial in environments where wireless LANs are used, since it allows seamless transition between base stations, since the tunneling of datagrams hides the movement of the host. To support the mobility of users beyond the bounds of the enterprise network, home agent functionality can be enabled for virtual subnets on the DMZ or periphery of the network also, to communicate with external foreign agents.
To enable Home Agent service for users having homed or virtually homed IP addresses on the router, use the following commands in global configuration mode:
1
router mobile
Enable Mobile IP on the router.
2
ip mobile home-agent
Enable home agent service.
3
ip mobile virtual-network addr mask
Add virtual network to routing table. If not using a virtual network, skip to step 6.
4
router protocol
redistribute mobileEnable redistribution of virtual network into routing protocol(s).
5
ip mobile host lower [upper] virtual-network addr mask [aaa [load-sa]]
Specify mobile nodes (on virtual network) and where their security associations are stored.1
6
ip mobile host lower [upper] {interface name}
Specify mobile nodes on interface and where their security associations are stored. Skip this step if there are no mobile nodes on the interface.
7
ip mobile secure host addr {inbound-spi spi-in outbound-spi spi-out | spi spi} key hex string
Set up mobile hosts' security associations. Skip this step if using AAA.
8
ip mobile secure foreign-agent addr {inbound-spi spi-in outbound-spi spi-out | spi spi} key hex string
(Optional) Set up foreign agents' security associations. Skip this step unless you have security association with remote foreign agents.
1 By default, security associations are expected to be configured locally; however, the security association configuration can be offloaded to an AAA server.
Enabling Foreign Agent Services
Foreign Agent services need to be enabled on a router attached to any subnet into which a mobile node may be roaming. Therefore, you need to configure Foreign Agent functionality on routers connected to conference room or lab subnets, for example. For administrators wanting to utilize roaming between wireless LANs, Foreign Agent functionality would be configured on routers connected to each base station. In this case it is conceivable that both Home Agent and Foreign Agent functionality will be enabled on some of the routers connected to these wireless LANs.
To start a foreign agent providing default services, use the following commands in global configuration mode:
Verify Setup
To make sure Mobile IP is set up correctly, use any of the following commands in EXEC mode:
Monitor and Maintain Mobile IP
To monitor and maintain Mobile IP, use any of the following commands :
show ip mobile host
Check mobile node counters (home agent only).
show ip mobile binding
Check mobility bindings (home agent only).
show ip mobile tunnel
Check active tunnels.
show ip mobile visitor
Check visitor bindings (foreign agent only).
show ip route mobile
Check Mobile IP routes.
show ip mobile traffic
Check protocol statistics.
clear ip mobile traffic
Clear counters.
show ip mobile violation
Check security violations.
debug ip mobile advertise
Display advertisement information.1
debug ip mobile host
Display mobility events.
1 Make sure ICMP Router Discovery Protocol (IRDP) is running on the interface.
Shutting Down Mobile IP
To shut down Mobile IP, use all of the following commands in global configuration mode:
no ip mobile home-agent
Disable home agent services.
no ip mobile foreign-agent
Disable foreign agent services.
no router mobile
Stop Mobile IP process.
Configuration Examples
This section contains the following configuration examples:
•
•
•
Home Agent Configuration Example
In the following example, the home agent has five mobile hosts on interface Ethernet1 (network 11.0.0.0) and ten on virtual network 10.0.0.0. There are two mobile node groups. Each mobile host has one security association. The home agent has an access-list to disable roaming capability by mobile host 11.0.0.5. The 11.0.0.0 group has a lifetime of 1 hour (3600 secs). The 10.0.0.0 group cannot roam in areas where the network is 13.0.0.0.
router mobile!! Define which hosts are permitted to roamip mobile home-agent broadcast roam-access 1!! Define a virtual networkip mobile network 10.0.0.0 255.0.0.0!! Define which hosts are on the virtual network, and the care-of access listip mobile host 10.0.0.1 10.0.0.10 virtual-network 10.0.0.0 255.0.0.0 care-of-access 2!! Define which hosts are on Ethernet 1, with lifetime of one hourip mobile host 11.0.0.1 11.0.0.5 interface Ethernet1 lifetime 3600!! The next ten lines specify security associations for mobile hosts! on virtual network 10.0.0.0!ip mobile secure host 10.0.0.1 spi 100 key hex 12345678123456781234567812345678ip mobile secure host 10.0.0.2 spi 200 key hex 87654321876543218765432187654321ip mobile secure host 10.0.0.3 spi 300 key hex 31323334353637383930313233343536ip mobile secure host 10.0.0.4 spi 100 key hex 45678332353637383930313233343536ip mobile secure host 10.0.0.5 spi 200 key hex 33343536313233343536373839303132ip mobile secure host 10.0.0.6 spi 300 key hex 73839303313233343536313233343536ip mobile secure host 10.0.0.7 spi 100 key hex 83930313233343536313233343536373ip mobile secure host 10.0.0.8 spi 200 key hex 43536373839313233330313233343536ip mobile secure host 10.0.0.9 spi 300 key hex 23334353631323334353637383930313ip mobile secure host 10.0.0.10 spi 100 key hex 63738393132333435330313233343536!! The next five lines specify security associations for mobile hosts! on Ethernet1!ip mobile secure host 11.0.0.1 spi 100 key hex 73839303313233343536313233343536ip mobile secure host 11.0.0.2 spi 200 key hex 83930313233343536313233343536373ip mobile secure host 11.0.0.3 spi 300 key hex 43536373839313233330313233343536ip mobile secure host 11.0.0.4 spi 100 key hex 23334353631323334353637383930313ip mobile secure host 11.0.0.5 spi 200 key hex 63738393132333435330313233343536!! Deny access for this hostaccess-list 1 deny 11.0.0.5!! Deny access to anyone on network 13.0.0.0 trying to registeraccess-list 2 deny 13.0.0.0Home Agent Using AAA Server Example
In the following AAA server configuration, the home agent can use an AAA server for storing security associations. Mobile IP has been authorized using TACACS+ server to retrieve the security association information, which is used by the home agent to authenticate registrations. This format can be imported into a CiscoSecure server.
user = 20.0.0.1 {service = mobileip {set spi#0 = "spi 100 key hex 12345678123456781234567812345678""}}user = 20.0.0.2 {service = mobileip {set spi#0 = "spi 100 key hex 12345678123456781234567812345678"}}user = 20.0.0.3 {service = mobileip {set spi#0 = "spi 100 key hex 12345678123456781234567812345678"}}In the example above, user is the mobile node's IP address. The syntax for the security association is spi#num = "string", where string is the rest of the ip mobile secure {host | visitor | home-agent | foreign-agent} key hex string command.
The following example shows how the home agent is configured to use the AAA server:
aaa new-modelaaa authorization ipmobile tacacs+!ip mobile home-agentip mobile network 20.0.0.0 255.0.0.0ip mobile host 20.0.0.1 20.0.0.3 virtual-network 20.0.0.0 255.0.0.0 aaa!tacacs-server host 1.2.3.4tacacs-server key ciscoForeign Agent Configuration Example
In the following example, the foreign agent is providing service on interface Ethernet1, advertising care-of address 68.0.0.31 and a lifetime of one hour.
interface Ethernet0ip address 68.0.0.31 255.0.0.0interface Ethernet1ip address 67.0.0.31 255.0.0.0ip irdpip irdp maxadvertinterval 10ip irdp minadvertinterval 7ip mobile foreign-serviceip mobile registration-lifetime 3600!router mobile!ip mobile foreign-agent care-of Ethernet0Command Reference
This section documents new and modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.0 command references.
•
aaa authorization ipmobile
To authorize Mobile IP to retrieve security associations from the AAA server using TACACS+ or RADIUS, use the aaa authorization ipmobile global configuration command. Use the no form of this command to remove authorization.
aaa authorization ipmobile {tacacs+ | radius}
no aaa authorization ipmobile {tacacs+ | radius}Syntax Description
Default
AAA is not used to retrieve security associations for authentication.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 12.0(1)T.
Mobile IP requires security associations for registration authentication. The security associations are configured on the router or on an AAA server. This command is not need for the former; but in the latter case, this command authorizes Mobile IP to retrieve the security associations from the AAA server.
Note
Example
The following example uses TACACS+ to retrieve security associations from the AAA server:
aaa new-modelaaa authorization ipmobile tacacs+tacacs-server host 1.2.3.4tacacs-server key mykeyip mobile host 10.0.0.1 10.0.0.5 virtual-network 10.0.0.0 255.0.0.0 aaaRelated Commands
aaa new-model
ip mobile host
radius-server host
radius-server key
show ip mobile host
tacacs-server host
tacacs-server keyclear ip mobile binding
To remove mobility bindings, use the clear ip mobile binding EXEC command.
clear ip mobile binding [addr]
Syntax Description
Command Mode
EXEC
Usage Guidelines
This command first appeared in Cisco IOS Release 12.0(1)T.
The home agent creates a mobility binding for each roaming mobile node. The mobility binding allows the mobile node to exchange packets with the correspondent node. Associated with the mobility binding is the tunnel to the visited network and a host route to forward packets destined for the mobile node. There should be no need to clear the binding because it expires after lifetime is reached or the mobile node deregisters.
When the mobility binding is removed, the number of users on the tunnel is decremented and the host route is removed from the routing table. The mobile node is not notified.
Use this command with care, since it can terminate any sessions used by the mobile node. The mobile node will need to be reregistered to continue roaming.
Example
The following example administratively stops mobile node 10.0.0.1 from roaming:
Router# clear ip mobile binding 10.0.0.1Router# show ip mobile bindingMobility Binding List:Total 110.0.0.1:Care-of Addr 68.0.0.31, Src Addr 68.0.0.31,Lifetime granted 02:46:40 (10000), remaining 02:46:32Flags SbdmGvt, Identification B750FAC4.C28F56A8,Tunnel100 src 66.0.0.5 dest 68.0.0.31 reverse-allowedRouting Options - (G)GRERelated Commands
clear ip mobile secure
To clear and retrieve remote security associations, use the clear ip mobile secure EXEC command.
clear ip mobile secure {host lower [upper] | empty | all} [load]
Syntax Description
Command Mode
EXEC
Usage Guidelines
This command first appeared in Cisco IOS Release 12.0(1)T.
Security associations are required for registration authentication. They can be stored on an AAA server. During registration, they may be stored locally after retrieval from the AAA server. It is possible that the security association on the router becomes stale or out of date when the security association on the AAA server changes.
This command clears Security Associations that have been downloaded from the AAA server.
Note
Example
In the following example, the AAA server has the security association for user 10.0.0.1 after registration:
Router# show ip mobile secure host 10.0.0.1Security Associations (algorithm,mode,replay protection,key):10.0.0.1:SPI 300, MD5, Prefix-suffix, Timestamp +/- 7,Key `oldkey' 1230552d39b7c1751f86bae5205ec0c8The AAA server's security association changes:
Router# clear ip mobile secure host 10.0.0.1 loadRouter# show ip mobile secure host 10.0.0.110.0.0.1:SPI 300, MD5, Prefix-suffix, Timestamp +/- 7,Key `newkey' 1230552d39b7c1751f86bae5205ec0c8Related Commands
clear ip mobile traffic
To clear counters, use the clear ip mobile traffic EXEC command.
clear ip mobile traffic
Syntax Description
This command has no keywords or arguments.
Command Mode
EXEC
Usage Guidelines
This command first appeared in Cisco IOS Release 12.0(1)T.
Mobile IP counters are accumulated during operation. They are useful for debugging and monitoring.
This command clears all Mobile IP counters. The undo keyword restores the counters (this is useful for debugging.) See the show ip mobile traffic command for a list and description of all counters.
Example
The following example shows how the counters can be used for debugging:
Router# show ip mobile trafficIP Mobility traffic:Advertisements:Solicitations received 0Advertisements sent 0, response to solicitation 0Home Agent Registrations:Register 8, Deregister 0 requestsRegister 7, Deregister 0 repliedAccepted 6, No simultaneous bindings 0Denied 1, Ignored 1Unspecified 0, Unknown HA 0Administrative prohibited 0, No resource 0Authentication failed MN 0, FA 0Bad identification 1, Bad request form 0..Router# clear ip mobile trafficRouter# show ip mobile trafficIP Mobility traffic:Advertisements:Solicitations received 0Advertisements sent 0, response to solicitation 0Home Agent Registrations:Register 0, Deregister 0 requestsRegister 0, Deregister 0 repliedAccepted 0, No simultaneous bindings 0Denied 0, Ignored 0Unspecified 0, Unknown HA 0Administrative prohibited 0, No resource 0Authentication failed MN 0, FA 0Bad identification 0, Bad request form 0Related Commands
clear ip mobile visitor
To remove visitor information, use the clear ip mobile visitor EXEC command.
clear ip mobile visitor [addr]
Syntax Description
addr
(Optional) IP address. If not specified, visitor information will be removed for all addresses.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 12.0(1)T.
The foreign agent creates a visitor entry for each accepted visitor. The visitor entry allows the mobile node to receive packets while in a visited network. Associated with the visitor entry is the ARP entry for the visitor. There should be no need to clear the entry because it expires after lifetime is reached or the mobile node deregisters.
When a visitor entry is removed, the number of users on the tunnel is decremented and the ARP entry is removed from the ARP cache. The visitor is not notified.
Use this command with care since it can break any sessions the mobile node has.
After using this command, the visitor will need to reregister to continue roaming.
Example
The following example administratively stops visitor 10.0.0.1 from visiting:
clear ip mobile visitor 10.0.0.1Related Commands
ip mobile foreign-agent
To enable foreign agent service, use the ip mobile foreign-agent global configuration command.
ip mobile foreign-agent [care-of interface | reg-wait secs]
no ip mobile foreign-agent [care-of interface | reg-wait secs]Syntax Description
Default
Disabled
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 12.0(1)T.
This command enables foreign agent service when at least one care-of address is configured. When no care-of address exists, foreign agent service is disabled.
The foreign agent is responsible for relaying the registration request to the home agent, setting up tunnel to the home agent, and forwarding packets to the mobile node. The show commands to display relevant information are shown in parentheses.
When a registration request comes in, the foreign agent will ignore requests when foreign agent service is not enabled on interface or no care-of address is advertised. If a security association exists for a visiting mobile node, visitor is authenticated (show ip mobile secure visitor). The registration bitflag handling is described in (show ip mobile interface). The foreign agent checks validity of the request. If successful, the foreign agent relays request to the home agent, appending an FH authentication extension if a security association for the home agent exists. The pending registration timer of 15 seconds is started (show ip mobile visitor pending). At most, five outstanding pending requests per mobile node are allowed. If the validity check fails, the foreign agent sends a reply with error code to the mobile node. Reply codes are listed in . Security violation is logged when visiting mobile node authentication fails (show ip mobile violation). The violation reasons are listed in .
When a registration reply comes in, the home agent is authenticated (show ip mobile secure home-agent) if a security association exists for the home agent (IP source address or home agent address in reply). The reply is relayed to the mobile node.
When registration is accepted, the foreign agent will create or update the visitor table, which contains the expiration timer. If no binding existed before this registration, a virtual tunnel is created, a host route to the mobile node via interface (of incoming request) is added to the routing table (show ip route mobile), and an ARP entry added to avoid ARPing for the visiting mobile node. Visitor binding is removed (along with its associated host route, tunnel, and ARP entry) when registration lifetime expires or deregistration accepted.
When registration is denied, the foreign agent will remove request from pending registration table. The visitors table and timers are unaffected.
When a packet destined for the mobile node arrives on the foreign agent, the foreign agent will deencapsulate the packet and forward it out its interface to the visiting mobile node, without ARPing.
The care-of address must be advertised by the foreign agent. This is used by the mobile node to register with the home agent. The foreign agent and home agent use this address as the source and destination point of tunnel, respectively. The foreign agent is not enabled until at least one care-of address is available. The foreign agent will advertise on interfaces configured with ip mobile foreign-service.
Only care-of addresses with interfaces that are up are considered available.
lists foreign agent registration bitflags.
lists foreign agent reply codes.
Example
The following example enables foreign agent service on interface Ethernet1, advertising 1.0.0.1 as the care-of address:
ip mobile foreign agent care-of Ethernet0interface Ethernet0ip address 1.0.0.1 255.0.0.0interface Ethernet1ip mobile foreign-serviceRelated Commands
debug ip mobile advertise
ip mobile foreign-service
show ip mobile globalsip mobile foreign-service
To enable foreign agent service on an interface if care-of address(es) is configured, use the ip mobile foreign-service interface configuration command.
ip mobile foreign-service [home-access acl] [limit num] [registration-required]
no ip mobile foreign-service [home-access acl] [limit num] [registration-required]Syntax Description
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 12.0(1)T.
This command enables foreign agent service on the interface. The foreign agent (F) bit will be set in the agent advertisement, which is appended to the IRDP router advertisement whenever the foreign agent or home agent service is enabled on the interface.
Note
lists the advertised bitflags.
Example
The following example enables foreign agent service for up to 100 visitors:
interface Ethernet 0ip mobile foreign-service limit 100 registration-requiredRelated Commands
ip mobile home-agent
To enable and control home agent services on the router, use the ip mobile home-agent global configuration command. Use the no form of this command to disable these services.
ip mobile home-agent [broadcast] [care-of-access acl] [lifetime num] [replay sec] [reverse-tunnel-off]
[roam-access acl] [suppress-unreachable]
no ip mobile home-agent [broadcast] [care-of-access acl] [lifetime num]
[replay sec] [reverse-tunnel-off] [roam-access acl] [suppress-unreachable]Syntax Description
Default
Disabled
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 12.0(1)T.
This command enables and controls home agent services on the router. Changes to service take effect immediately; however, broadcast and lifetime settings for previously registered mobile nodes are unaffected. Tunnels are shared by mobile nodes registered with the same endpoints, so reverse-tunnel-off affects registered mobile nodes too.
The home agent is responsible for processing registration requests from the mobile node and setting up tunnel and route to care-of address. Packets to the mobile node are forwarded to the visited network.
The home agent will forward broadcast packets to mobile nodes if they registered with the service. However, heavy broadcast traffic utilizes the router's CPU. The home agent can control where the mobile nodes roam by the care-of-access parameter, and which mobile node is allowed to roam by the roam-access parameter.
When a registration request comes in, the home agent will ignore requests when home agent service is not enabled or the mobile node's security association is not configured. The latter occurs because the security association must be available for the MH authentication extension in the reply. If an security association exists for the foreign agent (IP source address or care-of address in request), foreign agent is authenticated, then mobile node is authenticated. The Identification field is verified to protect against replay attack. The home agent checks the validity of the request (see ) and sends a reply. Replay codes are listed in . A security violation is logged when foreign agent authentication, MH authentication or Identification verification fail. The violation reasons are listed in .
After registration is accepted, the home agent creates or updates the mobile node's mobility binding, which contains the expiration timer. If no binding existed before this registration, a virtual tunnel is created, a host route to the mobile node via care-of address is added to the routing table, and gratuitous ARPs are sent out. For deregistration, the host route is removed from the routing table, the virtual tunnel interface is removed (if no mobile nodes are using it), and gratuitous ARP are sent out if the mobile node is back home. Mobility binding is removed (along with its associated host route and tunnel) when registration lifetime expires or deregistration is accepted.
When the packet destined for the mobile node arrives on the home agent, the home agent encapsulates the packet and tunnels it to the care-of address. If the "Don't fragment" bit is set in the packet, the outer IP header's bit is also set. This allows Path MTU Discovery to set the tunnel's MTU. Subsequent packets greater than tunnel's MTU will be dropped and ICMP Datagram Too Big message sent to the source. If the home agent loses the route to the tunnel endpoint, the host route to mobile node will be removed from routing table until tunnel route is available. Packets destined for mobile node without a host route will be sent out the interface (home link) or to the virtual network (see suppress-unreachable parameter below). For subnet-directed broadcasts to the home link, the home agent will send a copy to all mobile nodes registered with the broadcast routing option.
describes how the home agent treats registrations with various bits set when authentication and identification passed.
lists the home agent registration reply codes.
