CN-6-4-2 - Processing in upper layer - IPSec
Host
HA----------R2----------R1----------R0
| | | |
| | | |
|---- |---- |----MN |----CN(NUT)
| | | |
| | | |
Home Link Link2 Link1 Link0
(Foreign) (Foreign)
Link0 3ffe:501:ffff:100::/64 Link1 3ffe:501:ffff:101::/64 Foreign Link Link2 3ffe:501:ffff:102::/64 Foreign Link 2 Home Link 3ffe:501:ffff:104::/64 Home Link CN(NUT) 3ffe:501:ffff:100::X
Auto Configuration (InterfaceID)MN(in Link1) 3ffe:501:ffff:101::Y
Increased in each test (InterfaceID)MN care-of address MN(in Home Link) 3ffe:501:ffff:104::Y
Increased in each test (InterfaceID)MN home address R0(Link0) 3ffe:501:ffff:100::1 R1(Link1) 3ffe:501:ffff:101::1 R2(Link2) 3ffe:501:ffff:102::1 HA(Home Link) 3ffe:501:ffff:104::1
Reboot NUT (reboot.rmt) Enable IPSec Configuration (ipsecEnable.rmt,ipsecClearAll.rmt,ipsecSetSAD.rmt,ipsecSetSPD.rmt)
MN R1 HA R0 CN(NUT)
| | | | |
| | | |------>| 1.RA
| | | | |
| | | |------>| 2.NS
| | | | |
| | | |<------| 3.NA
| | | | |
|-------------->|-------------->| 4.Echo Request (SPI=0x2001)
| | | | |
|<--------------|<--------------| 5.Echo Reply(SPI=0x2002)
| | | | |
|------------------------------>| 6.CoTI
| | | | |
|-------------->|-------------->| 7.HoTI
| | | | |
|<------------------------------| 8.CoT
| | | | |
|<--------------|<--------------| 9.HoT
| | | | |
|------------------------------>| 10.BU
| | | | |
|<------------------------------| 11.BA
| | | | |
|------------------------------>| 12.Echo Request(Home Address option) (SPI=0x2001)
| | | | |
|<------------------------------| 13.Echo Reply(Type2 Routing Header) (SPI=0x2002) (*1)
| | | | |
1. Send Router Advertisement. 2. Send Neighbor Solicitation. 3. Receive Neighbor Advertisement. 4. Send ICMP Echo Request(IPSec). 5. Receive ICMP Echo Reply(IPSec). 6. Send Care-of Test Init. 7. Send Home Test Init. 8. Receive Care-of Test. 9. Receive Home Test. 10. Send Binding Update. 11. Receive Binding Acknowledgement. 12. Send ICMP Echo Request(IPSec,Home Address option). 13. Receive ICMP Echo Reply(IPSec,Type2 Routing Header).
Packet Format
12. ICMP Echo Request(Home Address option)
IPv6 header
Destination Options header
Home Address option
ESP header
ICMPv6
Echo Request
13. ICMP Echo Reply(Type2 Routing Header)
IPv6 header
Routing header (type 2)
Home Address
ESP header
ICMPv6
Echo Reply
(*1) MN receives ICMP Echo Reply. - The Destination Address is set to the Source Address of the Binding Update (MN care-of address). - Type 2 Routing Header is included. - The Home Address field of Type 2 Routing Header is set to MN home address. - The SPD lookup is based on the MN Home Address
(draft-ietf-mobileip-ipv6-24.txt)
9.3.1 Receiving Packets with Home Address Option
The correspondent node MUST process the option in a manner consistent with exchanging the Home Address field from the Home Address option into the IPv6 header and replacing the original value of the Source Address field there. After all IPv6 options have been processed, it MUST be possible for upper layers to process the packet without the knowledge that it came originally from a care-of address or that a Home Address option was used.
(snip)
When attempting to verify AH authentication data in a packet that contains a Home Address option, the receiving node MUST calculate the AH authentication data as if the following were true: The Home Address option contains the care-of address, and the source IPv6 address field of the IPv6 header contains the home address. This conforms with the calculation specified in Section 11.3.2.
9.3.2 Sending Packets to a Mobile Node
When calculating authentication data in a packet that contains a type 2 routing header, the correspondent node MUST calculate the AH authentication data as if the following were true: The routing header contains the care-of address, the destination IPv6 address field of the IPv6 header contains the home address, and the Segments Left field is zero. The IPsec Security Policy Database lookup MUST based on the mobile node's home address.