Network Working Group S. Glass
Request for Comments: 3543 Sun Microsystems
Category: Standards Track M. Chandra
Cisco Systems
August 2003
Network Working Group S. Glass
Request for Comments: 3543 Sun Microsystems
Category: Standards Track M. Chandra
Cisco Systems
August 2003
Registration Revocation in Mobile IPv4
移动IPv4中的注册撤销
Status of this Memo
本备忘录的状况
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2003). All Rights Reserved.
版权所有(C)互联网协会(2003年)。版权所有。
Abstract
摘要
This document defines a Mobile IPv4 Registration Revocation mechanism whereby a mobility agent involved in providing Mobile IP services to a mobile node can notify the other mobility agent providing Mobile IP services to the same mobile node of the termination of this registration. The mechanism is also usable by a home agent to notify a co-located mobile node of the termination of its binding as well. Moreover, the mechanism provides for this notification to be acknowledged. A signaling mechanism already defined by the Mobile IPv4 protocol is leveraged as a way to inform a mobile node of the revocation of its binding.
本文档定义了移动IPv4注册撤销机制,其中涉及向移动节点提供移动IP服务的移动代理可以通知向同一移动节点提供移动IP服务的其他移动代理终止该注册。归属代理还可以使用该机制来通知位于同一位置的移动节点其绑定的终止。此外,该机制规定对该通知予以确认。移动IPv4协议已经定义的信令机制被用作通知移动节点其绑定被撤销的方式。
Table of Contents
目录
1. Introduction and Applicability . . . . . . . . . . . . . . . . 2
2. Terminology. . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Registration Revocation Extensions and Messages. . . . . . . . 4
3.1. Advertising Registration Revocation Support. . . . . . . 5
3.2. Revocation Support Extension . . . . . . . . . . . . . . 6
3.3. Registration Revocation Message. . . . . . . . . . . . . 8
3.4. Registration Revocation Acknowledgment Message . . . . . 11
3.5. Replay Protection. . . . . . . . . . . . . . . . . . . . 14
4. Registration Revocation Overview . . . . . . . . . . . . . . . 15
4.1. Mobile Node Notification . . . . . . . . . . . . . . . . 15
4.2. Registration Revocation Mechanism - Agent Notification . 17
4.2.1. Negotiating Revocation Support . . . . . . . . . 17
1. Introduction and Applicability . . . . . . . . . . . . . . . . 2
2. Terminology. . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Registration Revocation Extensions and Messages. . . . . . . . 4
3.1. Advertising Registration Revocation Support. . . . . . . 5
3.2. Revocation Support Extension . . . . . . . . . . . . . . 6
3.3. Registration Revocation Message. . . . . . . . . . . . . 8
3.4. Registration Revocation Acknowledgment Message . . . . . 11
3.5. Replay Protection. . . . . . . . . . . . . . . . . . . . 14
4. Registration Revocation Overview . . . . . . . . . . . . . . . 15
4.1. Mobile Node Notification . . . . . . . . . . . . . . . . 15
4.2. Registration Revocation Mechanism - Agent Notification . 17
4.2.1. Negotiating Revocation Support . . . . . . . . . 17
4.2.2. Home Domain Revoking a Registration. . . . . . . 19
4.2.2.1. Home Agent Responsibilities. . . . . . 19
4.2.2.2. Foreign Agent Responsibilities . . . . 20
4.2.2.3. 'Direct' Co-located Mobile Node
Responsibilities . . . . . . . . . . . 20
4.2.3. Foreign Domain Revoking a Registration . . . . . 21
4.2.3.1. Foreign Agent Responsibilities . . . . 21
4.2.3.2. Home Agent Responsibilities. . . . . . 22
4.2.4. Mobile Node Deregistering a Registration . . . . 23
4.3. Mobile IP Registration Bits in the Revocation Process. . 23
4.3.1. The 'R' Bit in Use . . . . . . . . . . . . . . . 23
4.3.2. The 'D' Bit in Use (co-located mobile nodes) . . 23
5. Error Codes. . . . . . . . . . . . . . . . . . . . . . . . . . 24
6. Security Considerations. . . . . . . . . . . . . . . . . . . . 24
6.1. Agent Advertisements . . . . . . . . . . . . . . . . . . 24
6.2. Revocation Messages. . . . . . . . . . . . . . . . . . . 25
7. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 27
7.1. New Message Types. . . . . . . . . . . . . . . . . . . . 27
7.2. New Extension Values . . . . . . . . . . . . . . . . . . 27
7.3. New Error Codes. . . . . . . . . . . . . . . . . . . . . 27
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 27
8.1. Normative (Numerical References) . . . . . . . . . . . . 27
8.2. Informational (Alphabetical References). . . . . . . . . 28
Appendix A An Example of the New Messages in Use. . . . . . . . . 29
A.1. The Registration Phase . . . . . . . . . . . . . 29
A.2. The Revocation Phase . . . . . . . . . . . . . . 29
Appendix B Disparate Address, and Receiver Considerations . . . . 30
Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . . . 32
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 32
Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 33
4.2.2. Home Domain Revoking a Registration. . . . . . . 19
4.2.2.1. Home Agent Responsibilities. . . . . . 19
4.2.2.2. Foreign Agent Responsibilities . . . . 20
4.2.2.3. 'Direct' Co-located Mobile Node
Responsibilities . . . . . . . . . . . 20
4.2.3. Foreign Domain Revoking a Registration . . . . . 21
4.2.3.1. Foreign Agent Responsibilities . . . . 21
4.2.3.2. Home Agent Responsibilities. . . . . . 22
4.2.4. Mobile Node Deregistering a Registration . . . . 23
4.3. Mobile IP Registration Bits in the Revocation Process. . 23
4.3.1. The 'R' Bit in Use . . . . . . . . . . . . . . . 23
4.3.2. The 'D' Bit in Use (co-located mobile nodes) . . 23
5. Error Codes. . . . . . . . . . . . . . . . . . . . . . . . . . 24
6. Security Considerations. . . . . . . . . . . . . . . . . . . . 24
6.1. Agent Advertisements . . . . . . . . . . . . . . . . . . 24
6.2. Revocation Messages. . . . . . . . . . . . . . . . . . . 25
7. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 27
7.1. New Message Types. . . . . . . . . . . . . . . . . . . . 27
7.2. New Extension Values . . . . . . . . . . . . . . . . . . 27
7.3. New Error Codes. . . . . . . . . . . . . . . . . . . . . 27
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 27
8.1. Normative (Numerical References) . . . . . . . . . . . . 27
8.2. Informational (Alphabetical References). . . . . . . . . 28
Appendix A An Example of the New Messages in Use. . . . . . . . . 29
A.1. The Registration Phase . . . . . . . . . . . . . 29
A.2. The Revocation Phase . . . . . . . . . . . . . . 29
Appendix B Disparate Address, and Receiver Considerations . . . . 30
Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . . . 32
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 32
Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 33
Mobile IP [1] defines registration of a mobile node's location to provide connectivity between the mobile node and its home domain, facilitating communication between mobile nodes and any correspondent node. At any time, either the home or foreign agent may wish to cease servicing a mobile node, or for administrative reasons may no longer be required to service a mobile node.
移动IP[1]定义了移动节点位置的注册,以提供移动节点与其主域之间的连接,从而促进移动节点与任何对应节点之间的通信。在任何时候,归属或外部代理可能希望停止服务于移动节点,或者出于管理原因,可能不再需要服务于移动节点。
This document defines a general registration revocation mechanism for Mobile IPv4, whereby a mobility agent can notify another mobility agent (or a 'direct' co-located mobile node) of the termination of mobility bindings. A mobility agent that receives a revocation notification no longer has to provide services to the mobile node whose registration has been revoked. A signaling mechanism already defined by the Mobile IPv4 protocol [1] is leveraged as a way to inform a mobile node of the revocation of its binding.
本文档定义了移动IPv4的通用注册撤销机制,通过该机制,移动代理可以通知另一个移动代理(或“直接”同处移动节点)移动绑定的终止。接收撤销通知的移动代理不再需要向其注册已被撤销的移动节点提供服务。移动IPv4协议[1]已经定义的信令机制被用作通知移动节点其绑定撤销的方式。
The registration revocation protocol provides the following advantages:
注册撤销协议具有以下优点:
1. Timely release of Mobile IP resources. Resources being consumed to provide Mobile IP services for a mobile node that has stopped receiving Mobile IP services by one agent, can be reclaimed by the other agent in a more timely fashion than if it had to wait for the binding to expire. This also applies to the case in which a mobile node roams away from a foreign agent to another foreign agent. Notification to the previous foreign agent would allow it to reclaim resources.
1. 及时发布移动IP资源。为一个代理停止接收移动IP服务的移动节点提供移动IP服务所消耗的资源,可以由另一个代理以比必须等待绑定过期更及时的方式回收。这也适用于移动节点从外部代理漫游到另一外部代理的情况。通知前一个外部代理将允许其回收资源。
2. Accurate accounting. This has a favorable impact on resolving accounting issues with respect to the length of mobility bindings in both domains, as the actual end of the registration is relayed.
2. 准确的会计核算。这对解决两个域中移动绑定长度的会计问题有着有利的影响,因为注册的实际结束时间是中继的。
3. Earlier adoption of domain policy changes with regards to services offered/required of a Mobile IP binding. For example, the home domain may now require reverse tunnels [C], yet there are existing bindings that do not use them. Without a revocation mechanism, new services can only be put in place or removed as bindings are re-registered.
3. 较早采用与移动IP绑定提供/要求的服务相关的域策略更改。例如,主域现在可能需要反向隧道[C],但现有绑定不使用它们。如果没有撤销机制,新服务只能在绑定重新注册时放置或删除。
4. Timely notification to a mobile node that it is no longer receiving mobility services, thereby significantly shortening any 'black-hole' periods to facilitate a more robust recovery.
4. 及时通知移动节点它不再接收移动服务,从而大大缩短任何“黑洞”周期,以促进更稳健的恢复。
The revocation protocol is an active, yet unobtrusive mechanism allowing more timely communication between the three Mobile IP entities in the various administrative domains. Since many mobile nodes may not understand the concept of revocation, care has been taken to ensure backwards compatibility with [1].
撤销协议是一种主动但不引人注目的机制,允许在不同管理域中的三个移动IP实体之间进行更及时的通信。由于许多移动节点可能不理解撤销的概念,因此需要注意确保与[1]的向后兼容性。
The registration revocation protocol does not replace the methods described in [1] for Mobile IP deregistration, as the purpose of these mechanisms is fundamentally different. Deregistration messages are used by a mobile node to inform its home agent that it has e.g., roamed back to its home subnet, whereas revocation messages are used between mobility agents to signal the termination of mobility bindings. More specifically, the revocation message defined here is NOT for use by 'direct' co-located mobile nodes that are terminating their registration as deregistration messages are already sufficient for this purpose. A 'direct' co-located mobile node, however, may wish to process revocation messages as it is a useful mechanism to trigger the re-negotiation of required services from the home domain.
注册撤销协议不会取代[1]中描述的移动IP注销方法,因为这些机制的目的根本不同。撤销注册消息由移动节点用于通知其归属代理,例如,它已漫游回其归属子网,而撤销消息在移动代理之间用于发出移动绑定终止的信号。更具体地说,此处定义的撤销消息不供正在终止其注册的“直接”同处移动节点使用,因为撤销注册消息已经足以用于此目的。然而,“直接”同处移动节点可能希望处理撤销消息,因为这是一种有用的机制,用于触发来自归属域的所需服务的重新协商。
It is assumed that the reader is familiar with the terminology used in [1]. In addition, the following terms are defined:
假设读者熟悉[1]中使用的术语。此外,定义了以下术语:
'Direct' Co-located Mobile Node
“直接”同址移动节点
A mobile node registering directly with its home agent, with the 'D' bit set in its registration request, and NOT registering through a foreign agent.
移动节点直接向其归属代理注册,并在其注册请求中设置“D”位,而不是通过外部代理注册。
Mobile IP Resources
移动IP资源
Various functional elements allocated by a mobility agent to support a Mobile IP binding, e.g., memory.
由移动代理分配以支持移动IP绑定的各种功能元件,例如存储器。
Mobile IP Services
移动IP服务
Various responsibilities of a mobility agent in supporting a mobile node as defined in [1], e.g., encapsulation of packets addressed to a mobile node by a home agent, decapsulation of these packets by a foreign agent for delivery to a mobile node, etc.
移动性代理在支持[1]中定义的移动节点方面的各种责任,例如,由归属代理对寻址到移动节点的分组进行封装,由外部代理对这些分组进行去封装以交付到移动节点,等等。
Mobility Agent
流动剂
The home agent or foreign agent as specified in [1].
[1]中规定的本国代理或外国代理。
Revocation
撤销
Premature termination of a mobility binding.
过早终止移动绑定。
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14, RFC 2119 [3].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不得”、“应”、“不应”、“建议”、“可”和“可选”应按照BCP 14、RFC 2119[3]中的描述进行解释。
Registration revocation in Mobile IPv4 is accomplished via the following:
移动IPv4中的注册撤销通过以下方式完成:
- Advertising Registration Revocation Support (Section 3.1.):
- 广告注册撤销支持(第3.1节):
o A flag in the Agent Advertisement extension has been reserved for agents to advertise their support of revocation messages.
o 代理播发扩展中的标志已为代理保留,以播发其对吊销消息的支持。
- Revocation Support Extension (Section 3.2.):
- 撤销支持扩展(第3.2节):
o This extension is appended to a registration request or registration reply by a mobility agent to indicate its support of registration revocation.
o 移动代理将此扩展附加到注册请求或注册回复之后,以表明其支持注册撤销。
o This extension is appended to a registration request by a 'direct' co-located mobile node to indicate its understanding of revocation messages.
o “直接”同址移动节点将此扩展附加到注册请求,以指示其对撤销消息的理解。
- Registration Revocation Message (Section 3.3.):
- 注册撤销消息(第3.3节):
o A message sent by a mobility agent to inform another mobility agent, or a 'direct' co-located mobile node, that it has revoked the binding of a mobile node.
o 由移动代理发送的一种消息,用于通知另一个移动代理或“直接”同址移动节点它已撤销移动节点的绑定。
- Registration Revocation Acknowledgment Message (Section 3.4.):
- 注册撤销确认消息(第3.4节):
o A message sent by mobility agents or 'direct' co-located mobile nodes to indicate the receipt of a revocation message.
o 由移动代理或“直接”位于同一位置的移动节点发送的消息,用于指示接收到撤销消息。
Security considerations related to the above messages and extensions are covered in Section 6.
第6节介绍了与上述消息和扩展相关的安全注意事项。
Mobility agents can advertise their support of registration revocation with a modification to the Mobility Agent Advertisement extension described in [1]. An 'X' bit is introduced to indicate an agent's support for Registration Revocation.
移动代理可以通过修改[1]中描述的移动代理公告扩展来公告其对注册撤销的支持。引入了一个“X”位来表示代理对注册撤销的支持。
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Registration Lifetime |R|B|H|F|M|G|r|T|U|X| reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| zero or more Care-of Addresses |
| ... |
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Registration Lifetime |R|B|H|F|M|G|r|T|U|X| reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| zero or more Care-of Addresses |
| ... |
X The mobility agent supports Registration Revocation
移动代理支持注册撤销
A foreign agent that sets the 'X' bit in an agent advertisement extension MUST support registration revocation messages on that link, specifically the Revocation Support Extension (section 3.2.), Revocation Messages (section 3.3.), and Revocation Acknowledgment
在代理播发扩展中设置“X”位的外部代理必须支持该链接上的注册撤销消息,特别是撤销支持扩展(第3.2节)、撤销消息(第3.3节)和撤销确认
(section 3.4.). It is not required that all agents advertising on the same link support registration revocation, nor is it required that an agent advertise this support on all of its links.
(第3.4节)。不要求在同一链接上发布广告的所有代理都支持注册撤销,也不要求代理在其所有链接上发布此支持。
Note that using this information, a mobile node can select a foreign agent that supports Registration Revocation. Should a mobile node not understand this bit, it simply ignores it as per [1].
请注意,使用此信息,移动节点可以选择支持注册撤销的外部代理。如果移动节点不理解该位,它将根据[1]忽略该位。
As a bit in the agent advertisement, use of the 'X' bit has no impact on other messages, such as e.g., Challenge-Response [2].
作为代理广告中的一个比特,“X”比特的使用对其他消息没有影响,例如质询响应[2]。
The Mobile IP revocation support extension indicates support of registration revocation, and so MUST be attached to a registration request or registration reply by any entity that wants to receive revocation messages. Normally, this is either a foreign agent, or a home agent. However a 'direct' co-located mobile node MAY also include a revocation support extension in its registration request. A mobile node which is not co-located MUST NOT include a Revocation Support Extension in its registration.
Mobile IP revocation support extension表示支持注册撤销,因此任何希望接收撤销消息的实体都必须将其附加到注册请求或注册回复中。通常情况下,这要么是外国代理商,要么是本国代理商。然而,“直接”同处移动节点也可以在其注册请求中包括撤销支持扩展。未位于同一位置的移动节点不得在其注册中包含吊销支持扩展。
A foreign agent advertising the 'X' bit on the link on which the registration request was received, and that has a security relationship with the home agent identified in the same registration request, MUST attach a revocation support extension to the forwarded registration request. A home agent that receives a registration request that does not contain a revocation extension SHOULD NOT include a revocation support extension in the associated registration reply.
在接收注册请求的链接上公布“X”位的外国代理,并且与同一注册请求中标识的本国代理具有安全关系,必须将撤销支持扩展附加到转发的注册请求。接收不包含吊销扩展的注册请求的归属代理不应在关联的注册答复中包含吊销支持扩展。
The format of the revocation support extension is based on the Type-Length-Value Extension Format given in [1] and is defined as follows:
撤销支持扩展的格式基于[1]中给出的类型长度值扩展格式,定义如下:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Type | Length |I| Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Timestamp |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Type | Length |I| Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Timestamp |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type 137
137型
Length Length (in bytes, currently 6). Does NOT include Type and Length fields (in accordance with section 1.9. of [1]). This allows for a longer extension length should more bits be required in the future.
长度(以字节为单位,当前为6)。不包括类型和长度字段(根据[1]第1.9节)。如果将来需要更多的位,这允许更长的扩展长度。
Timestamp Current 4-byte timestamp of the mobility agent or 'direct' co-located mobile node. This is used to identify the ordering of registrations as they are forwarded, how they relate to the sending of any revocation messages, and to identify the approximate offset between the clocks of the mobility agents providing support for this binding, or between a 'direct' co-located mobile node and its home agent.
时间戳移动代理或“直接”同址移动节点的当前4字节时间戳。这用于识别转发注册时注册的顺序,它们与任何撤销消息的发送的关系,以及识别为该绑定提供支持的移动代理的时钟之间,或“直接”同址移动节点与其归属代理之间的近似偏移。
'I' Bit This bit is set to '1' by a mobility agent to indicate it supports the use of the 'I' bit in revocation messages (section 3.3.)
“I”位移动性代理将该位设置为“1”,以表明它支持在撤销消息中使用“I”位(第3.3节)
When sent by a foreign agent in a registration request:
由外国代理在注册请求中发送时:
If set to 1, the FA is willing to have the home agent use the 'I' bit in the revocation process to determine whether the mobile node should be informed of the revocation or not.
如果设置为1,FA愿意让归属代理在撤销过程中使用“I”位来确定是否应将撤销通知移动节点。
If set to 0, indicates to the home agent that the foreign agent will follow its own policy with regards to informing the mobile node in the event of a revocation.
如果设置为0,则向归属代理指示外部代理将遵循其自己的策略,在撤销时通知移动节点。
When sent by a home agent in response to a revocation extension in which the 'I' bit was set to '1':
当由归属代理发送以响应撤销扩展时,其中“I”位设置为“1”:
If set to 1, the home agent agrees to use the 'I' bit in the revocation process to indicate to the foreign agent whether or not the mobile node should be informed.
如果设置为1,则归属代理同意在撤销过程中使用“I”位来向外部代理指示是否应通知移动节点。
If set to 0, the home agent will not use the 'I' bit in the revocation process, thereby yielding to the foreign agent's default behavior with regard to informing the mobile node.
如果设置为0,则归属代理将不会在撤销过程中使用“I”位,从而屈服于外部代理通知移动节点的默认行为。
To preserve the robustness of the protocol, the recommended default behavior for a foreign agent is to inform the mobile node of its revocation as described in Section 4.1.
为了保持协议的健壮性,建议外部代理的默认行为是通知移动节点其撤销,如第4.1节所述。
Reserved Reserved for future use. MUST be set to 0 on sending, MUST be ignored on receiving.
保留以备将来使用。发送时必须设置为0,接收时必须忽略。
When appearing in a registration request, or registration reply, the Mobile IP revocation support extension MUST be protected either by a foreign-home authentication extension, a mobile-home authentication extension, or any other equivalent mechanism [1], e.g., via AAA [A], [B], or perhaps IPsec. If the extension appearing in either of these registration messages is NOT protected, the appropriate action as described by [1] (Sections 3.8.2.1. and Sections 3.7.3.1.) MUST be taken.
当出现在注册请求或注册回复中时,移动IP撤销支持扩展必须受到外来家庭认证扩展、移动家庭认证扩展或任何其他等效机制[1]的保护,例如,通过AAA[a]、[B]或IPsec。如果这些注册消息中出现的扩展未受到保护,则必须采取[1](第3.8.2.1节和第3.7.3.1节)所述的适当措施。
Support of the 'I' bit is OPTIONAL. If a mobility agent does not support the specified functionality, it MUST set the 'I' bit to zero. Note that the home agent setting the 'I' bit to '1' in response to a revocation extension from the foreign agent in which the 'I' bit was set to '0' is undefined, and SHOULD NOT be done.
“I”位的支持是可选的。如果移动代理不支持指定的功能,它必须将“I”位设置为零。请注意,响应“I”位设置为“0”的外部代理的吊销扩展而将“I”位设置为“1”的归属代理未定义,不应执行此操作。
'I' bit support has been negotiated when both agents have set the 'I' bit to '1' in their revocation support extensions.
当两个代理在其吊销支持扩展中将“I”位设置为“1”时,已协商“I”位支持。
It is important to note that this extension is skippable (i.e., if the receiving mobility agent does not understand this extension, it MUST skip it, and continue processing the remainder of the registration request).
请务必注意,此扩展是可跳过的(即,如果接收移动代理不理解此扩展,则必须跳过它,并继续处理注册请求的其余部分)。
A revocation message is sent by a mobility agent to inform another mobility agent, or a 'direct' co-located mobile node, that it is revoking the binding of a mobile node.
撤销消息由移动代理发送,以通知另一个移动代理或“直接”共址移动节点它正在撤销移动节点的绑定。
IP Fields:
IP字段:
Source Address In the case of the home agent issuing the registration revocation, the address registered with the care-of address as that of the home agent (that is the address identified as the home address of this binding).
源地址在发出注册撤销的本国代理的情况下,注册的地址与本国代理的转交地址相同(即标识为本绑定的本国地址的地址)。
In the case of the foreign agent issuing the registration revocation, the address registered with the home agent as the care-of address.
如果是外国代理签发注册撤销证书,则在本国代理注册的地址为转交地址。
Destination Address In the case of the home agent issuing the registration revocation, the source address of the last approved registration request for this binding, i.e., the destination address of the last registration reply indicating success for this binding.
目的地地址如果归属代理发布注册撤销,则为该绑定的上次批准注册请求的源地址,即表示该绑定成功的上次注册回复的目的地地址。
In the case of the foreign agent issuing the registration revocation, the address registered as that of the home agent by the mobile node whose registration is being revoked.
在外国代理发出注册撤销的情况下,由其注册被撤销的移动节点注册为归属代理的地址。
UDP Fields:
UDP字段:
Source Port variable
源端口变量
Destination Port 434
目的港434
The UDP header is followed by the Mobile IP fields shown below:
UDP标头后面是移动IP字段,如下所示:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Reserved |A|I| Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Home Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Home Domain Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Foreign Domain Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Revocation Identifier |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Extensions...
+-+-+-+-+-+-+-+-+-+-+-+-+-
| Authenticator...
+-+-+-+-+-+-+-+-+-+-+-+-+-
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Reserved |A|I| Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Home Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Home Domain Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Foreign Domain Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Revocation Identifier |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Extensions...
+-+-+-+-+-+-+-+-+-+-+-+-+-
| Authenticator...
+-+-+-+-+-+-+-+-+-+-+-+-+-
Type 7
类型7
Reserved MUST be sent as 0, ignored when received.
保留必须作为0发送,接收时忽略。
A Agent bit ('direction' bit).
代理位(“方向”位)。
This bit identifies the role of the agent sending the revocation, that is the 'direction' of the revocation message. This is useful for detecting reflection
此位标识发送撤销的代理的角色,即撤销消息的“方向”。这对于检测反射非常有用
attacks, particularly when symmetric keying is being used.
攻击,尤其是在使用对称键控时。
Set to '0' if the revoking agent is servicing this binding as a foreign agent.
如果撤销代理作为外部代理服务于此绑定,则设置为“0”。
Set to '1' if the revoking agent is servicing this binding as a home agent.
如果撤销代理作为主代理服务此绑定,则设置为“1”。
I Inform bit.
我通知比特。
This bit MUST NOT be set to '1' unless 'I' bit support was negotiated in the revocation extension messages passed in the registration process, otherwise the results can be unpredictable.
此位不能设置为“1”,除非在注册过程中传递的吊销扩展消息中协商了“I”位支持,否则结果可能无法预测。
When sent by the home agent to a foreign agent:
当本国代理发送给外国代理时:
Set to '0' to request that the mobile node SHOULD NOT be informed of the revocation, or because the use of the 'I' bit was not agreed upon.
设置为“0”以请求不应将撤销通知移动节点,或者因为未同意使用“I”位。
Set to '1' to request that the mobile node be informed of the revocation.
设置为“1”以请求将撤销通知移动节点。
When sending a revocation message to a 'direct' co-located mobile node, this bit is essentially irrelevant, but SHOULD be set to '1'.
当向“直接”共址移动节点发送撤销消息时,该位基本上不相关,但应设置为“1”。
When sent by the foreign agent:
由外国代理发送时:
Set to '0' to indicate that the foreign agent is using foreign domain policy as to whether or not the mobile node should be informed of the revocation, or because 'I' bit support was not agreed upon.
设置为“0”表示外部代理正在使用外部域策略,以确定是否应将撤销通知移动节点,或者因为未商定“I”位支持。
Set to '1' to ask the home agent if the mobile node should be informed of the revocation.
设置为“1”以询问归属代理是否应将撤销通知移动节点。
Reserved MUST be sent as 0, ignored when received.
保留必须作为0发送,接收时忽略。
Home Address The home IP address of the mobile node whose registration is being revoked.
Home Address注册被撤销的移动节点的Home IP地址。
Foreign Domain Address The relevant IP address in the foreign domain to identify which binding is being revoked. This is one of the following: (i) the foreign agent's IP address, or (ii) the co-located care-of address.
外域地址外域中的相关IP地址,用于标识正在撤销的绑定。这是以下内容之一:(i)外国代理的IP地址,或(ii)同地转交地址。
Home Domain Address The IP address of the home agent to identify which binding is being revoked.
主域地址主代理的IP地址,用于标识正在撤销的绑定。
Revocation Identifier Protects against replay attacks. The revoking agent MUST insert its current 4-byte timestamp running off the same clock as it is using to fill in the timestamp in its revocation extensions. See section 3.5.
吊销标识符可防止重播攻击。撤销代理必须插入其当前的4字节时间戳,该时间戳与它用于在其撤销扩展中填充时间戳的时间相同。见第3.5节。
A registration revocation message MUST be protected by either a valid authenticator as specified in [1], namely a home-foreign authenticator, if the communication is between home and foreign agents, or a mobile-home authenticator if the communication is being sent from a home agent to a 'direct' co-located mobile node, or another security mechanism at least as secure, and agreed upon by the home and foreign domains, e.g., IPsec. If any agent, or 'direct' co-located mobile node, receives a registration revocation message that does not contain a valid authenticator, and is not adequately protected, the revocation message MUST be ignored, and silently discarded.
注册撤销消息必须由[1]中规定的有效验证器(即,如果通信在本地和外部代理之间)或移动本地验证器(如果通信是从本地代理发送到“直接”同址移动节点)保护,或另一种安全机制,至少同样安全,并由本地域和外部域商定,例如IPsec。如果任何代理或“直接”同处移动节点接收到注册撤销消息,该消息不包含有效的验证器,且未得到充分保护,则必须忽略该撤销消息,并以静默方式丢弃。
A revocation message MUST NOT be sent for any registration that has expired, and MAY only be sent prior to the expiration of a mobile node's registration. Note, however, due to the nature of datagram delivery, this does not guarantee these messages will arrive before the natural expiration of any binding.
对于任何已过期的注册,不得发送撤销消息,并且只能在移动节点的注册过期之前发送撤销消息。但是,请注意,由于数据报传递的性质,这并不保证这些消息会在任何绑定自然过期之前到达。
An agent MUST NOT send more than one revocation message or registration message per second for the same binding. Note that this updates [1] by including revocation messages in the rate limit specified in [1], i.e., that an agent MUST NOT send more than one registration message per second for the same binding.
对于同一绑定,代理每秒不得发送多个吊销消息或注册消息。请注意,这将通过在[1]中指定的速率限制中包括撤销消息来更新[1],即代理每秒不得为同一绑定发送超过一条注册消息。
An example of the use of revocation messages is given in Appendix A.
附录A中给出了使用撤销消息的示例。
A revocation acknowledgment message is sent by mobility agents or 'direct' co-located mobile nodes to indicate the successful receipt of a revocation message.
撤销确认消息由移动代理或“直接”位于同一位置的移动节点发送,以指示撤销消息的成功接收。
IP fields:
IP字段:
Source Address Copied from the destination address of the received registration revocation message for which this registration revocation acknowledgment message is being generated.
从正在生成此注册撤销确认消息的已接收注册撤销消息的目标地址复制的源地址。
Destination Address Copied from the source address of the received registration revocation message for which this registration revocation acknowledgment message is being generated.
从正在生成此注册撤销确认消息的已接收注册撤销消息的源地址复制的目标地址。
UDP fields:
UDP字段:
Source Port 434 (copied from the destination port of the revocation message).
源端口434(从吊销消息的目标端口复制)。
Destination Port Copied from the source port of the revocation message.
从吊销消息的源端口复制的目标端口。
The UDP header is followed by the Mobile IP fields shown below:
UDP标头后面是移动IP字段,如下所示:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Reserved |I| Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Home Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Revocation Identifier |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Extensions...
+-+-+-+-+-+-+-+-+-+-+-+-+-
| Authenticator...
+-+-+-+-+-+-+-+-+-+-+-+-+-
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Reserved |I| Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Home Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Revocation Identifier |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Extensions...
+-+-+-+-+-+-+-+-+-+-+-+-+-
| Authenticator...
+-+-+-+-+-+-+-+-+-+-+-+-+-
Type 15
第15类
Reserved MUST be sent as 0, ignored when received.
保留必须作为0发送,接收时忽略。
I Inform bit.
我通知比特。
The 'I' bit MUST NOT be set to '1' in the revocation acknowledgment messages unless it was set to '1' in the revocation message. If an agent receives a revocation acknowledgment message in which the 'I' bit is set to '1', but for which the revocation message being
“I”位在撤销确认消息中不得设置为“1”,除非在撤销消息中设置为“1”。如果代理接收到撤销确认消息,其中“I”位设置为“1”,但撤销消息被
acknowledged had the 'I' bit set to '0', the 'I' bit in the revocation acknowledgment message MUST be ignored.
已确认如果“I”位设置为“0”,则必须忽略撤销确认消息中的“I”位。
When sent by the home agent:
由国内代理发送时:
Set to '1' by the home agent to request the foreign agent inform the mobile node of the revocation.
由归属代理设置为“1”,以请求外部代理通知移动节点撤销。
Set to '0' by the home agent to request the foreign agent not inform the mobile node of the revocation.
由归属代理设置为“0”,以请求外部代理不通知移动节点撤销。
When sent by a foreign agent:
由外国代理人发送时:
Set to '1' to indicate to the home agent that the mobile node was informed.
设置为“1”以向归属代理指示已通知移动节点。
Set to '0' to indicate to the home agent that the foreign agent used local policy to determine whether or not the mobile node should be informed. For purposes of protocol robustness, it is highly recommended that such a default be set for the foreign agent to inform the mobile node of the revocation.
设置为“0”以向归属代理指示外部代理使用本地策略来确定是否应通知移动节点。出于协议健壮性的目的,强烈建议为外部代理设置这样的默认值,以通知移动节点撤销。
Reserved MUST be sent as 0, ignored when received.
保留必须作为0发送,接收时忽略。
Home Address The home address copied from the revocation message for which this acknowledgment is being sent.
Home Address从要发送此确认的吊销邮件复制的家庭地址。
Revocation Identifier Copied from the Revocation Identifier of the revocation message for which this acknowledgment is being sent. See Section 3.5.
从为其发送此确认的吊销消息的吊销标识符复制的吊销标识符。见第3.5节。
A registration revocation acknowledgment message MUST be sent in response to a valid and authenticated registration revocation message.
必须发送注册撤销确认消息以响应有效且经过身份验证的注册撤销消息。
A registration acknowledgment message MUST be protected by either a valid authenticator as specified in [1], namely a home-foreign authenticator if the communication is between home and foreign agents, or a mobile-home authenticator if the communication is between home agent and 'direct' co-located mobile node, or another security mechanism at least as secure and agreed upon by the home and foreign domains, e.g., IPsec.
注册确认消息必须由[1]中规定的有效身份验证器保护,即,如果通信在本地和外部代理之间,则由本地-外部身份验证器保护;如果通信在本地代理和“直接”共同定位的移动节点之间,则由移动本地身份验证器保护,或另一种安全机制,至少与本地域和外部域一样安全,并得到一致同意,例如IPsec。
An example of the use of Revocation Acknowledgment Messages is given in Appendix A.
附录A中给出了使用撤销确认消息的示例。
As registration revocation messages are designed to terminate service for a mobile node, or multiple mobile nodes simultaneously, replay protection is crucial to prevent denial of service attacks by "malicious repeaters" - those who store datagrams with the intent of replaying them at a later time, or by "malicious reflectors" - those who reflect packets back at their original source (both a form of "active" attack). See Section 6. for a discussion of these security considerations.
由于注册撤销消息旨在同时终止一个移动节点或多个移动节点的服务,因此重放保护对于防止“恶意中继器”(那些存储数据报以在以后重放数据报的人)或“恶意反射器”的拒绝服务攻击至关重要-将数据包反射回原始源的人(都是一种“主动”攻击)。见第6节。以讨论这些安全注意事项。
All Revocation Messages and Revocation Acknowledgment Messages MUST be authenticated as well be replay-protected. The order in which they are done, however, is up to implementation.
所有撤销消息和撤销确认消息都必须经过身份验证并受重播保护。然而,它们的执行顺序取决于执行情况。
Replay protection is handled with a simple timestamp mechanism, using a single 32-bit identifier field in the registration revocation message, in conjunction with the home address field, to associate any revocation acknowledgment messages with its revocation messages. To do this:
通过简单的时间戳机制处理重播保护,在注册撤销消息中使用单个32位标识符字段,并结合家庭地址字段,将任何撤销确认消息与其撤销消息相关联。为此:
- The revoking agent sets the 'A' bit to its agent-type, and the Revocation Identifier field in the registration revocation message to a valid 32-bit timestamp from the same clock it is using to set the timestamp field of its revocation extensions included in registration messages.
- 撤销代理将“A”位设置为其代理类型,将注册撤销消息中的撤销标识符字段设置为有效的32位时间戳,该时间戳与用于设置注册消息中包含的撤销扩展的时间戳字段的时钟相同。
- Upon receipt of an authenticated revocation message, the receiving agent (or 'direct' co-located mobile node) MUST check the value of the 'A' bit, and Revocation Identifier to make sure this revocation message is not a replay of an old revocation message received from the same agent. The receiving agent MUST also check that the message is not a reflection of a revocation message it sent in relation to the identified binding. If the 'A' bit and Identifier field imply this packet is a replay, the revocation message MUST be silently discarded.
- 接收到经过身份验证的撤销消息后,接收代理(或“直接”同处移动节点)必须检查“A”位的值和撤销标识符,以确保此撤销消息不是从同一代理接收的旧撤销消息的重播。接收代理还必须检查消息是否不是它发送的与已标识绑定相关的撤销消息的反映。如果“A”位和标识符字段暗示此数据包是重播,则必须以静默方式放弃撤销消息。
- When building a revocation acknowledgment message, the acknowledging agent (or 'direct' co-located mobile node) copies the values of the Home Address and Revocation Identifier fields from the revocation message into the Home Address and the Revocation Identifier of the revocation acknowledgment message. This is so the revoking agent can match this revocation acknowledgment to its corresponding revocation message.
- 在构建撤销确认消息时,确认代理(或“直接”同处移动节点)将归属地址和撤销标识符字段的值从撤销消息复制到撤销确认消息的归属地址和撤销标识符中。这使得撤销代理可以将此撤销确认与其相应的撤销消息相匹配。
- Upon receiving a valid revocation acknowledgment, the revoking agent MUST check the Home Address and Identifier fields to make sure they match those fields from a corresponding revocation message it sent to the acknowledging agent. If not, this revocation acknowledgment message MUST be silently discarded.
- 收到有效的撤销确认后,撤销代理必须检查“家庭地址”和“标识符”字段,以确保它们与发送给确认代理的相应撤销消息中的字段相匹配。否则,必须以静默方式放弃此撤销确认消息。
Note that since the Identifier in an incoming revocation message is a 32-bit timestamp, it is possible for an agent to check the validity of the Identifier fields without having to remember all identifiers sent by that corresponding agent.
注意,由于传入撤销消息中的标识符是32位时间戳,因此代理可以检查标识符字段的有效性,而不必记住该对应代理发送的所有标识符。
Note: as it is possible for a mobile node to register at different times with different home agents, and at different times with different foreign agents, it is crucial that it not be required that the Identifier fields be unique in messages from different agents as there is no guarantee that clocks on different agents will be synchronized. For example, if a mobile node has simultaneous bindings with multiple foreign agents, and if revocation messages are received by more than one such foreign agent "simultaneously", it is possible the revocation message from one of these foreign agents may contain Identifier fields that happen to match those of any or all the other foreign agents. This MUST NOT result in any of these revocation messages being ignored.
注意:由于移动节点可以在不同的时间向不同的本地代理注册,也可以在不同的时间向不同的外部代理注册,因此不要求来自不同代理的消息中的标识符字段是唯一的,因为不能保证不同代理上的时钟将被同步。例如,如果移动节点与多个外部代理同时绑定,并且如果撤销消息由多个这样的外部代理“同时”接收,则来自这些外部代理之一的撤销消息可能包含恰好与任何或所有其他外部代理的标识符字段相匹配的标识符字段。这不得导致忽略任何这些吊销消息。
Registration Revocation consists of two distinct pieces: a signaling mechanism between tunnel endpoints, and a signaling mechanism between foreign agent and mobile node. A 'direct' co-located mobile node MAY implement revocation extensions and revocation acknowledgment in order to receive and respond to revocation messages from its home agent, however, a 'direct' co-located mobile node MUST NOT send a revocation message as de-registration messages defined in [1] are sufficient for this purpose.
注册撤销由两部分组成:隧道端点之间的信令机制,以及外部代理和移动节点之间的信令机制。“直接”同位移动节点可以实现撤销扩展和撤销确认,以便从其归属代理接收和响应撤销消息,但是,“直接”同位移动节点不得发送撤销消息,因为[1]中定义的注销消息足以用于此目的。
For further discussion on security issues related to registration revocation, refer to Section 6.
有关注册撤销相关安全问题的进一步讨论,请参阅第6节。
A mechanism which provides a foreign agent a way to actively notify a mobile node that its binding has been reset already exists in [1], though it has been overlooked for this purpose.
[1]中已经存在一种机制,它为外部代理提供了一种主动通知移动节点其绑定已重置的方法,尽管出于此目的忽略了该机制。
A brief overview of the mechanics of the sequence number in agent advertisement from [1] is given so that the mechanism by which the foreign agent 'implies' to the mobile node that its binding is no longer active is clearly understood.
简要概述了[1]中代理广告中序列号的机制,以便清楚地理解外部代理向移动节点“暗示”其绑定不再活动的机制。
When a foreign agent begins sending agent advertisements, it starts with a sequence number of 0, and [monotonically] increments the sequence number with each subsequent agent advertisement. In order for a mobile node to be able to distinguish between a foreign agent that has simply exhausted the sequence number space from one which has been reset, when the agent increments the sequence number counter past its maximum value, it sets the sequence number to 256 instead of rolling to 0 [1]. In this way, a mobile node would have to miss, at that time, 256 advertisements in a row to mistake a reset as a roll-over. Moreover, the lifetimes contained within an agent advertisement should be set in such a way that when a mobile node believes it has missed 3 beacons, the entry for this foreign agent should time out, and if the mobile node is registered there, it should send an agent solicitation [1]. If, however, an agent is somehow reset, it will begin advertising with a sequence number of 0, and the mobile node can presume this foreign agent has lost its binding, and the mobile node SHOULD re-register to make sure it is still obtaining Mobile IP services through this foreign agent.
当外部代理开始发送代理播发时,它以0的序列号开始,并且[单调地]在每个后续代理播发中递增序列号。为了使移动节点能够区分已耗尽序列号空间的外部代理和已重置的外部代理,当代理将序列号计数器增加到超过其最大值时,它将序列号设置为256,而不是滚动到0[1]。这样,移动节点将不得不在当时错过一行256个广告,从而将重置误认为是翻滚。此外,代理广告中包含的生存期应以这样的方式设置,即当移动节点认为其丢失了3个信标时,该外部代理的条目应超时,并且如果移动节点在那里注册,则其应发送代理请求[1]。但是,如果某个代理以某种方式重置,它将以序号0开始播发,并且移动节点可以假定此外部代理已丢失其绑定,并且移动节点应重新注册以确保它仍然通过此外部代理获得移动IP服务。
Leveraging this mechanism, a foreign agent may consciously notify all mobile nodes currently bound to it that it has "reset" all of their bindings, even if the agent itself has not been reset, by simply [re]setting the sequence number of the next agent advertisement to 0. Moreover, a foreign agent may inform all mobile nodes currently bound to it that they should re-register with a different foreign agent by simultaneously setting the 'B' bit in the advertisement to 1, indicating this foreign agent is busy and is not accepting new registrations [1]. In these situations, any mobile node in compliance with [1] will presume this foreign agent has lost its binding, and must re-register if they wish to re-establish Mobile IP functionality with their home subnet.
利用这种机制,外部代理可以有意识地通知当前绑定到它的所有移动节点它已经“重置”了它们的所有绑定,即使代理本身没有被重置,只需将下一个代理播发的序列号[重新]设置为0即可。此外,外部代理可以通知当前绑定到它的所有移动节点,通过同时将广告中的“B”位设置为1,它们应该向不同的外部代理重新注册,这表示该外部代理正忙并且不接受新注册[1]。在这些情况下,任何符合[1]的移动节点都将假定此外部代理已失去其绑定,并且如果它们希望在其主子网中重新建立移动IP功能,则必须重新注册。
To indicate to any registered mobile node that its binding no longer exists, the foreign agent with which the mobile node is registered may unicast an agent advertisement with the sequence number set to 0 to the mobile node [1], [D]. Moreover, if such a foreign agent wishes to indicate to the mobile node that its binding has been revoked, and that the mobile node should not attempt to renew its registration with it, the foreign agent MAY also set the 'B' bit to 1 in these agent advertisements, indicating it is busy, and is not accepting new registrations [1]. All mobile nodes compliant with [1] will understand that this means the agent is busy, and MAY either immediately attempt to re-register with another agent in their foreign agent cache, or MAY solicit for additional agents. In the latter case, a foreign agent can optionally remember the mobile node's binding was revoked, and respond to the solicit in the same way, namely with the 'B' bit set to 1. It should be noted, though, that since the foreign agent is likely to not be setting the 'B' bit
为了向任何注册的移动节点指示其绑定不再存在,与移动节点注册的外部代理可以单播序列号设置为0的代理广告到移动节点[1]、[D]。此外,如果这样的外部代理希望向移动节点指示其绑定已被撤销,并且移动节点不应尝试向其续订其注册,则外部代理还可以在这些代理广告中将“B”位设置为1,指示其正忙,并且不接受新注册[1]。所有符合[1]的移动节点都会明白,这意味着代理正忙,可能会立即尝试在其外部代理缓存中向另一个代理重新注册,也可能会请求其他代理。在后一种情况下,外部代理可以选择性地记住移动节点的绑定被撤销,并以相同的方式响应请求,即将“B”位设置为1。但应注意的是,由于外国代理可能不会设置“B”位
to 1 in its broadcasted agent advertisements (sent to the entire link), the revoked mobile node, upon hearing this agent's multicast agent advertisement without the 'B' bit set, may attempt to [re]register with it. If this happens, depending on foreign domain policy, the foreign agent can simply deny the mobile node with an appropriate error code (e.g., "administratively prohibited"). At this time, a mobile node can use foreign agent fallback to attempt to register with a different foreign agent as described in [1].
在其广播的代理播发(发送到整个链路)中,被撤销的移动节点在听到该代理的多播代理播发而没有设置“B”位时,可以尝试向其[重新]注册。如果发生这种情况,根据外域策略,外域代理可以简单地使用适当的错误代码(例如,“管理禁止”)拒绝移动节点。此时,移动节点可以使用外部代理回退来尝试向不同的外部代理注册,如[1]中所述。
Mobile nodes which understand the revocation mechanism described by this document may understand that a unicast agent advertisement with the sequence number reset to 0 could indicate a revocation, and may attempt to re-register with the same foreign agent, or register with a different foreign agent, or co-locate.
理解本文档所描述的撤销机制的移动节点可以理解序列号重置为0的单播代理广告可以指示撤销,并且可以尝试向相同的外部代理重新注册,或者向不同的外部代理注册,或者共同定位。
Agent Advertisements unicast to a mobile node MUST be sent as described in [1] in addition to any methods currently in use on the link to make them secure or authenticatable to protect from denial-of-service attacks.
除了链路上当前正在使用的任何方法外,还必须按照[1]中所述将代理播发单播到移动节点,以使其安全或可验证,从而防止拒绝服务攻击。
A foreign agent that is currently supporting registration revocation on a link MUST set the 'X' bit in its Agent Advertisement Extensions being sent on that link. This allows mobile nodes requiring Registration Revocation services to register with those foreign agents advertising its support.
当前在链接上支持注册撤销的外部代理必须在其在该链接上发送的代理广告扩展中设置“X”位。这允许需要注册撤销服务的移动节点向那些宣传其支持的外国代理注册。
During the registration process, if the foreign agent wishes to participate in revocation messages with the home domain, it MUST have an existing security association with the home agent identified in the registration request, and append a revocation support extension (defined in Section 3.2.) to it. If the corresponding registration reply from this home agent does not contain a revocation support extension, the foreign agent SHOULD assume the home agent does not understand registration revocation, or is unwilling to participate. If this is unacceptable to the foreign agent, it MAY deny the registration with e.g., "Administratively Prohibited". Note that in this case, where a security association exists, as specified in [1], both registration request and registration reply MUST still contain home-foreign authenticators.
在注册过程中,如果外国代理希望参与家乡域的撤销消息,则必须与注册请求中标识的家乡代理建立现有安全关联,并向其附加撤销支持扩展(定义见第3.2节)。如果来自该本国代理的相应注册回复不包含撤销支持扩展,则外国代理应假定本国代理不理解注册撤销,或不愿意参与。如果外国代理无法接受,则可以拒绝注册,例如“行政禁止”。请注意,在这种情况下,如[1]中所述,存在安全关联的情况下,注册请求和注册回复都必须仍然包含本地-外部身份验证器。
If a home agent wishes to be able to exchange revocation messages with the foreign domain, it MUST have an existing security association with the foreign agent who relayed the registration request, and it MUST append a revocation support extension to the
如果归属代理希望能够与外域交换撤销消息,则它必须与转发注册请求的外域代理具有现有的安全关联,并且必须将撤销支持扩展附加到
registration reply. If the registration request from a foreign agent did not contain a revocation support extension, the home agent SHOULD assume the foreign agent does not understand registration revocation, or is unwilling to participate specifically for this binding. If this is unacceptable to the home agent, it MAY deny the registration with e.g., "Administratively Prohibited". The home agent MAY include a revocation support extension in the registration reply.
注册回复。如果来自外国代理的注册请求不包含撤销支持扩展,则本国代理应假定外国代理不理解注册撤销,或不愿意专门参与此约束。如果国内代理无法接受,可能会拒绝注册,例如“行政禁止”。归属代理可以在注册回复中包括撤销支持扩展。
If a 'direct' co-located mobile node wishes to be informed of a released binding by its home agent, it MUST insert a revocation support extension into the registration request. If this is acceptable to the home agent, it MUST include a revocation support extension in its registration reply. Note that if this is not acceptable, the home agent MAY deny the registration, or it MAY simply not include a revocation support extension in its registration reply indicating to the mobile node that it will not participate in revocation for this binding. A home agent which receives a registration request from a 'direct' co-located mobile node which does not contain a revocation support extension MAY deny the registration with e.g., "Administratively Prohibited" and also MAY or MAY NOT include a revocation support extension in the registration reply.
如果“直接”同处移动节点希望其归属代理通知已发布的绑定,则必须在注册请求中插入撤销支持扩展。如果归属代理可以接受,则必须在其注册回复中包含撤销支持扩展。注意,如果这是不可接受的,则归属代理可以拒绝注册,或者它可以简单地在其注册回复中不包括指示移动节点它将不参与该绑定的撤销的撤销支持扩展。从不包含撤销支持扩展的“直接”同处移动节点接收注册请求的归属代理可以使用例如“行政禁止”来拒绝注册,并且也可以在注册回复中包括或不包括撤销支持扩展。
Note that a non-colocated mobile node MUST NOT insert a revocation support extension into its registration request. If a foreign agent receives such a registration request, it MUST silently discard it, and MAY log it as a protocol error.
请注意,非同址移动节点不得在其注册请求中插入吊销支持扩展。如果外部代理收到这样的注册请求,它必须悄悄地放弃它,并可能将其记录为协议错误。
The 'I' bit in the revocation extension is used to indicate whether or not the decision to inform the mobile node that its binding is terminated will be left to the home agent. This functionality is offered by the foreign agent, and accepted by the home agent. More precisely, by sending a revocation extension attached to a registration request in which the 'I' bit is set to 1, the foreign agent is indicating to the home agent that it MAY leave the decision to inform this mobile node that its registration is terminated up to the home agent. (The term "MAY" is used here because it is recognized that domain policy may change during the lifetime of any registration). The home agent can acknowledge that it wishes to do this by setting the 'I' bit to 1, or it can indicate it will not do so by setting the 'I' bit to 0, in the revocation extension appearing in the registration reply.
撤销扩展中的“I”位用于指示是否将通知移动节点其绑定终止的决定留给归属代理。此功能由外国代理提供,并由本国代理接受。更准确地说,通过发送附加到注册请求(其中“I”位设置为1)的撤销扩展,外部代理向归属代理指示其可以将通知该移动节点其注册终止的决定留给归属代理。(此处使用术语“可以”,因为人们认识到域策略可能在任何注册的有效期内发生变化)。在注册回复中出现的撤销扩展中,归属代理可以通过将“I”位设置为1来确认它希望这样做,也可以通过将“I”位设置为0来表示它不会这样做。
Revocation support is considered to be negotiated for a binding when both sides have included a revocation support extension during a successful registration exchange.
当双方在成功的注册交换过程中都包含了撤销支持扩展时,撤销支持被认为是为绑定而协商的。
The following section details the responsibilities of each party depending on the functionality negotiated in the revocation support extensions when the home domain is revoking a registration.
以下部分详细说明了当主域撤销注册时,各方的责任,具体取决于撤销支持扩展中协商的功能。
In the case where a home agent is revoking a mobile node's binding, and revocation support has been negotiated, the home agent MUST notify the foreign domain address it is terminating the tunnel entry point by sending a revocation message. Note that the foreign domain address can either be the foreign agent care-of address, or the co-located care-of address of a 'direct' co-located mobile node.
在归属代理正在撤销移动节点的绑定,并且撤销支持已经协商的情况下,归属代理必须通过发送撤销消息通知外域地址它正在终止隧道入口点。请注意,外部域地址可以是外部代理转交地址,也可以是“直接”同址移动节点的同址转交地址。
As a home agent, it MUST set the 'A' bit to '1', indicating this packet is coming from the home agent servicing this binding.
作为归属代理,它必须将“a”位设置为“1”,表示此数据包来自为该绑定提供服务的归属代理。
When a revocation message is being sent to a foreign agent, and the use of the 'I' bit was negotiated in the registration process, the home agent MUST set the 'I' bit to 1 if the home agent would like the foreign agent to inform the mobile node of the revocation. Conversely, if the home agent does not want the mobile node notified, it MUST set the 'I' bit to 0. Note that the home agent could also set the 'I' bit to '0' because it knows the mobile node has registered with a different foreign agent, and so there is no need for the foreign agent to attempt a notification.
当向外部代理发送撤销消息,并且在注册过程中协商使用“I”位时,如果本地代理希望外部代理通知移动节点撤销,则本地代理必须将“I”位设置为1。相反,如果归属代理不希望通知移动节点,则必须将“I”位设置为0。请注意,归属代理还可以将“I”位设置为“0”,因为它知道移动节点已向其他外部代理注册,因此外部代理无需尝试通知。
The home agent MUST set the Identifier field as defined in Section 3.5., and MUST include a valid authenticator as specified in Section 3.3.
归属代理必须设置第3.5节中定义的标识符字段,并且必须包括第3.3节中指定的有效验证器。
If the home agent does not receive a revocation acknowledgment message within a reasonable amount of time, it MUST retransmit the revocation message. How long the home agent waits to retransmit, and how many times the message is retransmitted is limited by the requirement that:
如果归属代理在合理的时间内没有收到撤销确认消息,则必须重新传输撤销消息。归属代理等待重新传输的时间以及消息重新传输的次数受以下要求的限制:
- every time the home agent is about to retransmit the revocation message, it MUST update the value of the timestamp in the revocation identifier with a current value from the same clock used to generate the timestamps in the revocation extensions sent to this foreign agent. Note that this also necessarily means updating any fields derived using the revocation identifier (e.g., a home-foreign authenticator).
- 每次归属代理将要重新传输撤销消息时,它必须使用发送到此外部代理的撤销扩展中用于生成时间戳的相同时钟的当前值来更新撤销标识符中的时间戳值。注意,这也必然意味着更新使用撤销标识符(例如,本地-外部身份验证器)派生的任何字段。
- the home agent MUST NOT send more than one revocation per second for a particular binding,
- 对于特定绑定,归属代理每秒不得发送超过一次撤销,
- the time between retransmissions SHOULD fall-back in analogy with the registration guidelines in [1], namely exponential backoff, and
- 与[1]中的注册指南类似,重新传输之间的时间应该向后退,即指数退避,以及
- the home agent MUST NOT retransmit revocation messages beyond the normal life of the binding identified by the revocation message.
- 归属代理不得在撤销消息标识的绑定的正常生命期之外重新传输撤销消息。
Upon receiving a registration revocation message, the foreign agent MUST check that the validity of the authenticator, the 'A' bit, and the identifier field against replay as defined by Section 3.5. The foreign agent MUST also identify the binding described by the home agent as being released using the information in the revocation message, namely the addresses identified by the mobile node address, the foreign domain address, the home domain address, as well as the timestamp in the revocation message, and also the timestamp in the last accepted registration message; revocations are only valid for existing registrations, and so the timestamp of a registration MUST precede the revocation message (note that both of those timestamps were set by the same home agent). Upon locating the binding, the foreign agent MUST revoke it, and MUST respond with a revocation acknowledgment sent to the source address of the revocation message. If the 'I' bit was negotiated, the foreign agent MUST check the value of the 'I' bit in the revocation message and act accordingly.
收到注册撤销消息后,外国代理必须根据第3.5节定义的重播检查验证器、“a”位和标识符字段的有效性。外部代理还必须使用撤销消息中的信息,即由移动节点地址、外部域地址、本地域地址以及撤销消息中的时间戳标识的地址,来标识由归属代理描述为正在被释放的绑定,以及最后接受的注册消息中的时间戳;撤销仅对现有注册有效,因此注册的时间戳必须位于撤销消息之前(请注意,这两个时间戳都是由同一归属代理设置的)。找到绑定后,外部代理必须撤销它,并且必须通过发送到撤销消息源地址的撤销确认来响应。如果协商了“I”位,则外部代理必须检查撤销消息中“I”位的值,并相应地采取行动。
If notifying the mobile node by the methods described in Section 4.1., the foreign agent MUST set the 'I' bit to '1' in the revocation acknowledgment to be sent to the home agent, or if not notifying the mobile node, the foreign agent MUST set the 'I' bit to '0'.
如果通过第4.1节中描述的方法通知移动节点,则外部代理必须在发送给归属代理的撤销确认中将“I”位设置为“1”,或者如果未通知移动节点,则外部代理必须将“I”位设置为“0”。
The foreign agent may discontinue all Mobile IP services by the former binding at this time, and free up any resources that were being used by it.
外部代理此时可能会终止前一个绑定的所有移动IP服务,并释放其正在使用的任何资源。
The foreign agent MUST then generate a revocation acknowledgment, setting the Home Address and Identifier field in the revocation acknowledgment message as described by Section 3.5., and protect it with a valid authenticator as specified in Section 3.3.
然后,外部代理必须生成撤销确认,如第3.5节所述,在撤销确认消息中设置家庭地址和标识符字段,并使用第3.3节所述的有效验证器对其进行保护。
Upon receiving a revocation message, the 'direct' co-located mobile node MUST validate the authenticator, and check the home address and identifier specified in the revocation message for replay. If the packet passes authentication, and the identifier reveals this revocation to be new, the mobile node MUST verify that the information contained in the revocation messages identifies the home
在接收到撤销消息后,“直接”同址移动节点必须验证验证器,并检查撤销消息中指定的家庭地址和标识符以进行重播。如果数据包通过了身份验证,并且标识符显示该撤销是新的,则移动节点必须验证撤销消息中包含的信息是否识别归属
agent with which it has a current binding, that this binding identifies correctly this mobile node and any foreign domain address it is currently using. If the mobile node is able to identify such a binding, the mobile node SHOULD first generate a revocation acknowledgment message which MUST be sent to the IP source address of the revocation message. The mobile node may then terminate any reverse tunnel encapsulation [C] it is using to this home agent, and consider its binding revoked, and free up any other resources associated with the former binding.
与之具有当前绑定的代理,该绑定正确标识此移动节点及其当前使用的任何外部域地址。如果移动节点能够识别这样的绑定,则移动节点应首先生成撤销确认消息,该消息必须发送到撤销消息的IP源地址。然后,移动节点可以终止任何反向隧道封装[C]它正在使用到此归属代理,并考虑撤销其绑定,并释放与前绑定相关联的任何其他资源。
The following section details the responsibilities of each party depending on the functionality negotiated in the revocation support extensions when the foreign domain is revoking a registration. Note that revocation support for a co-located mobile node registering via a foreign agent (because the 'R' bit was set in the agent's advertisement) is not supported. See Section 4.3.1. for details.
以下部分详细说明了各方在外域撤销注册时根据撤销支持扩展中协商的功能所承担的责任。请注意,不支持通过外部代理注册的位于同一位置的移动节点的吊销支持(因为“R”位是在代理的公告中设置的)。见第4.3.1节。详情请参阅。
If the use of the 'I' bit was negotiated, and the foreign domain policy of informing the mobile node has not changed since the last successful registration exchange, the foreign agent MUST NOT inform any mobile node of its revocation at this time. Instead, the foreign agent MUST set the 'I' bit to '1' in the revocation message, thereby asking the home agent to use the 'I' bit in the revocation acknowledgment to indicate if it should notify the effected mobile nodes. If the policy on the foreign domain was to not notify the mobile node, or if it has changed since the most recent successful registration, and the foreign agent is no longer able to use the 'I' bit, the foreign agent MUST set the 'I' bit to '0', and follow the policies of the foreign domain with regard to notifying the mobile node.
如果“I”位的使用经过协商,且自上次成功注册交换以来,通知移动节点的外域政策未发生变化,则外域代理此时不得通知任何移动节点其撤销。相反,外部代理必须在撤销消息中将“I”位设置为“1”,从而要求归属代理在撤销确认中使用“I”位来指示它是否应该通知受影响的移动节点。如果外域上的策略不通知移动节点,或者自最近一次成功注册后已更改,并且外域代理不再能够使用“I”位,则外域代理必须将“I”位设置为“0”,并遵循外域关于通知移动节点的策略。
Note that the 'A' bit MUST be set to '0' to indicate that the revocation message is coming from the foreign agent servicing this binding.
请注意,“A”位必须设置为“0”,以指示吊销消息来自为该绑定提供服务的外部代理。
Before transmitting the revocation message, the foreign agent MUST set the revocation identifier as described by section 3.5., and MUST include an authenticator as described by section 3.3.
在传输撤销消息之前,外部代理必须按照第3.5节的规定设置撤销标识符,并且必须按照第3.3节的规定包含验证器。
If the foreign agent does not receive a revocation acknowledgment message within a reasonable amount of time, it MUST retransmit the revocation message. How long the foreign agent waits to retransmit, and how many times the message is retransmitted is only limited by the following specifications:
如果外部代理在合理的时间内未收到撤销确认消息,则必须重新传输撤销消息。外部代理等待重新传输的时间以及消息重新传输的次数仅受以下规范的限制:
- every time the foreign agent is about to retransmit the revocation message, it MUST update the value of the timestamp in the revocation identifier with a current value from the same clock used to generate the timestamps in the revocation extensions sent to this home agent. Note that this also necessarily means updating any fields derived using the revocation identifier (e.g., a home-foreign authenticator).
- 每次外部代理将要重新传输撤销消息时,它必须使用发送到此归属代理的撤销扩展中用于生成时间戳的时钟的当前值来更新撤销标识符中的时间戳值。注意,这也必然意味着更新使用撤销标识符(例如,本地-外部身份验证器)派生的任何字段。
- MUST NOT send more than one revocation per second for a particular binding,
- 对于特定绑定,每秒不得发送超过一个吊销,
- SHOULD set its retransmissions to fall-back in analogy with the registration guidelines in [1], namely exponential backoff, and
- 应将其重传设置为与[1]中的注册指南类似,即指数退避,以及
- MUST NOT retransmit revocation messages beyond the normal life of the binding identified by the revocation message.
- 不得在吊销消息标识的绑定的正常生存期之外重新传输吊销消息。
Upon receiving a registration revocation message, the home agent MUST check the 'A' bit, and identifier field, as well as the authenticator. If the packet is acceptable, the home agent MUST locate the binding identified by the foreign agent as being released using the information in the revocation message, namely the addresses identified by the home address, the foreign domain address and the home domain address fields. As revocations are only valid for existing registrations, the timestamp of a registration MUST precede the revocation message (note that both of those timestamps were set by the same foreign agent). Since this binding is no longer active, the home agent can free up any resources associated with the former binding and discontinue all Mobile IP services for it.
收到注册撤销消息后,归属代理必须检查“a”位、标识符字段以及验证器。如果数据包是可接受的,则归属代理必须使用撤销消息中的信息(即归属地址、外域地址和归属域地址字段标识的地址)定位由外部代理标识为正在释放的绑定。由于撤销仅对现有注册有效,因此注册的时间戳必须位于撤销消息之前(请注意,这两个时间戳都是由同一个外部代理设置的)。由于此绑定不再处于活动状态,归属代理可以释放与前一个绑定关联的任何资源,并停止为其提供的所有移动IP服务。
Upon processing a valid registration revocation message, the home agent MUST send a revocation acknowledgment to the IP source address of the registration revocation message.
在处理有效的注册撤销消息后,归属代理必须向注册撤销消息的IP源地址发送撤销确认。
If use of the 'I' bit was negotiated, and the 'I' bit is set to '1' in the revocation message, the home agent should decide if it wants the mobile node informed of the revocation of this binding. If it does want the mobile node informed, it MUST set the 'I' bit in the revocation acknowledgment message to '1'. If it does not want the mobile node informed, it MUST set the 'I' bit to '0'.
如果协商了“I”位的使用,并且在撤销消息中将“I”位设置为“1”,则归属代理应决定是否希望将此绑定的撤销通知移动节点。如果它确实希望通知移动节点,则必须将撤销确认消息中的“I”位设置为“1”。如果不想通知移动节点,则必须将“I”位设置为“0”。
The home agent MUST set the Home Address, and Revocation Identifier fields as described by Section 3.5., and protect the revocation acknowledgment message with a valid authenticator as specified in Section 3.3.
归属代理必须按照第3.5节的规定设置归属地址和撤销标识符字段,并按照第3.3节的规定使用有效的验证器保护撤销确认消息。
The cases where a mobile node is registered with its home agent, whether it is registered directly with its home agent ('direct' co-located mobile node), or registered via a foreign agent, and wishes to terminate its own binding, the mobile node MUST NOT send a revocation message, but SHOULD simply deregister the appropriate care-of address with its home agent as described by [1].
如果移动节点向其归属代理注册,无论是直接向其归属代理注册(“直接”同处移动节点),还是通过外部代理注册,并且希望终止其自身绑定,则移动节点不得发送撤销消息,但只需按照[1]所述,向其国内代理注销相应的转交地址即可。
Several of the bits used in the registration process need special consideration when using the revocation mechanism.
在使用撤销机制时,注册过程中使用的一些位需要特别考虑。
If the foreign agent wishes to be able to revoke a mobile node's registration, it MUST set the 'R' bit in its agent advertisements. (A foreign agent advertising the 'R' bit requests every mobile node, even one that is co-located (and whose registration would otherwise by-pass the foreign agent), to register with the foreign agent.) However, in this case, the foreign agent SHOULD deny a registration request as "Administratively Prohibited" from a mobile node that is registering in a co-located fashion. The reason being that the foreign agent will not be able to revoke the binding of a co-located mobile node due to reasons outlined in Section 4.3.2.
如果外部代理希望能够撤销移动节点的注册,则必须在其代理广告中设置“R”位。(宣传“R”位的外部代理请求每个移动节点,即使是位于同一位置的移动节点(其注册将绕过外部代理),向外部代理注册。)但是,在这种情况下,外部代理应拒绝注册请求,将其视为“行政禁止”来自以同一位置方式注册的移动节点。原因是,由于第4.3.2节概述的原因,外部代理将无法撤销同一位置移动节点的绑定。
How the foreign agent and/or foreign domain enforce the 'R' bit is beyond the scope of this document.
外部代理和/或外部域如何强制执行“R”位超出了本文档的范围。
A mobile node registering directly with its home agent in a co-located fashion with the 'D' bit set in its registration request is supported in registration revocation. However, support for a co-located mobile node (with the 'D' bit set in its registration request) registering via a foreign agent is not supported for the following reasons.
注册撤销中支持移动节点以同一位置的方式直接向其归属代理注册,并在其注册请求中设置“D”位。但是,由于以下原因,不支持通过外部代理注册位于同一位置的移动节点(在其注册请求中设置了“D”位)。
Registration requests where the 'D' bit is set, and which are relayed through a foreign agent (e.g., due to the advertising of the 'R' bit) should theoretically contain the foreign agent address as the source address of the registration request when received by the home agent. A home agent may conclude that the source address of this registration request is not the same as the co-located care-of address contained in the registration request, and is therefore likely to be the address of the foreign agent. However, since there is no way to guarantee that this IP source address is in fact an
设置了“D”位且通过外部代理转发的注册请求(例如,由于“R”位的广告),理论上应包含外部代理地址,作为本地代理收到注册请求时的源地址。国内代理可能会得出结论,本注册请求的源地址与注册请求中包含的同处照管地址不同,因此可能是外国代理的地址。但是,由于无法保证此IP源地址实际上是一个
address of the foreign agent servicing the mobile node, accepting a revocation message from this IP source address may lead to a denial-of-service attack by a man-in-the-middle on the mobile node.
为移动节点提供服务的外部代理的地址,从该IP源地址接收撤销消息可能导致移动节点上中间人的拒绝服务攻击。
Moreover, there is currently no method for the foreign agent servicing the mobile node to identify itself to the home agent during the Mobile IP registration phase. Even if a foreign agent could identify itself, the co-located mobile node would also need to authorize that this foreign agent is indeed the agent that is providing it the Mobile IP services. This is to thwart a denial-of-service attack on the mobile node by a foreign agent that has a security association with the home agent, and is on the path between the co-located mobile node and the home agent.
此外,在移动IP注册阶段,目前没有为移动节点提供服务的外部代理向归属代理标识自己的方法。即使外部代理可以识别自己,位于同一位置的移动节点也需要授权该外部代理确实是向其提供移动IP服务的代理。这是为了阻止与归属代理具有安全关联且位于同一位置的移动节点和归属代理之间的路径上的外部代理对移动节点的拒绝服务攻击。
As the intent of a registration revocation message is not a request to discontinue services, but is a notification that Mobile IP services are discontinued, there are no new error codes.
由于注册撤销消息的目的不是请求中断服务,而是通知移动IP服务已中断,因此不存在新的错误代码。
There are two potential vulnerabilities, one in the agent advertisement mechanism, and one related to unauthorized revocation messages.
存在两个潜在漏洞,一个在代理播发机制中,另一个与未经授权的吊销消息有关。
Although the mechanisms defined by this document do not introduce this problem, it has been recognized that agent advertisements as defined in [1] subject mobile nodes to a denial-of-service potential. This is because the agent advertisement as defined in [1] may be spoofed by other machines residing on the link. This makes it possible for such nodes to trick the mobile node into believing its registration has been revoked either by unicasting an advertisement with a reset sequence number to the link-local address of the mobile node, or by broadcasting it to the subnet, thereby tricking all mobile nodes registered with a particular foreign agent into believing all their registrations have been lost.
尽管本文档定义的机制没有引入此问题,但已经认识到[1]中定义的代理广告会使移动节点受到拒绝服务的潜在影响。这是因为[1]中定义的代理播发可能被驻留在链接上的其他机器欺骗。这使得这些节点可以通过将具有重置序列号的广告单播到移动节点的链路本地地址或通过将其广播到子网来欺骗移动节点,使其相信其注册已被撤销,从而欺骗所有注册了特定外部代理的移动节点,使其相信其所有注册都已丢失。
There has been some work in this working group and others (e.g., IPsec) to secure such router advertisements, though at the time of this publication, no solutions have become common practice. To help circumvent possible denial of service issues here, bringing their potential for disruption to a minimum, mobile node implementors should ensure that any agent advertisement which doesn't conform to a strict adherence to [1], specifically those whose TTL is not 1, or which do not emanate from the same link-address (when present) as
本工作组和其他工作组(如IPsec)已经开展了一些工作来保护此类路由器广告,尽管在本出版物发布时,还没有解决方案成为普遍做法。为了帮助规避此处可能出现的拒绝服务问题,将其中断的可能性降至最低,移动节点实施者应确保任何不严格遵守[1]的代理播发,特别是TTL不是1的代理播发,或来自与[1]不同的链接地址(当存在时)的代理播发
other agent advertisements supposedly from the same agent, or even that of the last successful registration reply, be silently discarded.
假定来自同一代理的其他代理广告,甚至是上次成功注册回复的代理广告,都将被默默地丢弃。
As registration revocation, when performed, terminates Mobile IP services being provided to the mobile node, it is crucial that all security and replay protection mechanisms be verified before a mobility agent believes that the other agent has revoked a binding. Messages which are sent link-local (e.g., between mobile node and foreign agent) MAY also be secured by methods outlined in [1], namely the use of mobile-foreign authenticators, but these have no direct relation to registration revocation.
由于注册撤销在执行时终止提供给移动节点的移动IP服务,因此在移动代理相信另一代理已经撤销绑定之前,验证所有安全性和重播保护机制是至关重要的。通过本地链路(例如,在移动节点和外部代理之间)发送的消息也可以通过[1]中概述的方法进行安全保护,即使用移动外部认证器,但这些与注册撤销没有直接关系。
RFC 3344 [1] defines a security mechanism that MUST be used between home agents and mobile nodes, and MAY used between home agents and foreign agents, namely the use of authenticators. All foreign and home agents MUST support protection of revocation messages via the foreign-home authenticators defined in [1]. They MAY implement other mechanisms of equal or greater strength; if such mechanisms are known to be available to both parties, they MAY be used instead.
RFC 3344[1]定义了必须在归属代理和移动节点之间使用的安全机制,并且可以在归属代理和外部代理之间使用,即使用验证器。所有外国和本国代理必须支持通过[1]中定义的外国本国身份验证器保护撤销消息。它们可以实施同等或更大力度的其他机制;如果已知双方均可使用此类机制,则可以使用这些机制。
Revocation messages are at least as secure as registration messages passed between home and foreign agents and containing home-foreign authenticators as defined in [1]. Thus, there are no new security threats introduced by the revocation mechanism other than those present in [1] with respect to the compromise of the shared secret which is used to generate the home-foreign authenticators.
撤销消息至少与在本地和外部代理之间传递的注册消息一样安全,并且包含[1]中定义的本地-外部身份验证器。因此,除了[1]中关于用于生成本地-外部身份验证器的共享秘密的泄露中存在的安全威胁之外,不存在由撤销机制引入的新安全威胁。
That said, there are two types of active attacks which use messages captured "in flight" by a man-in-the-middle between the home and foreign agents - "malicious repeaters" and "malicious reflectors".
也就是说,有两种类型的主动攻击使用的是一名男子“在飞行中”在本国和外国代理之间捕获的消息——“恶意中继器”和“恶意反射器”。
In the case of a "malicious repeater", a man-in-the-middle captures a revocation message, then replays it to the same IP destination address at a later time. Presuming the authenticator of the original packet was deemed valid, without replay protection, the home-foreign authenticator of the replayed packet will (again) pass authentication. Note that since datagrams are not guaranteed to arrive unduplicated, a replay may occur by "design".
在“恶意转发器”的情况下,中间人捕获撤销消息,然后稍后将其重放到相同的IP目标地址。假定原始数据包的身份验证器被视为有效,在没有重播保护的情况下,重播数据包的本地-外部身份验证器将(再次)通过身份验证。请注意,由于不能保证数据报不重复地到达,因此可能会通过“设计”进行重播。
In the case of a "malicious reflector," a man-in-the-middle captures a revocation message, then returns it to its originator at a later time. If the security association between home and foreign domains uses a security association involving a (single) shared secret which only protects the contents of the UDP portion of the packet (such as home-foreign authenticators as defined by [1]), without replay
在“恶意反射器”的情况下,中间的人捕获撤销消息,然后稍后将其返回给发起人。如果主域和外部域之间的安全关联使用涉及(单个)共享机密的安全关联,该共享机密仅保护数据包UDP部分的内容(如[1]中定义的主-外部身份验证器),而不重播
protection, the sender of the packet will also believe the revocation message to be authentic.
保护,数据包的发送者也会相信撤销消息是真实的。
The replay protection mechanism used by the revocation messages defined by this document is designed to protect against both of these active attacks. As a benefit, by using a 32-bit timestamp it can be more quickly determined if revocation messages are replays, though the reader is advised to use caution in this approach. An agent which receives an authenticated revocation message can compare the Identifier field to that of a previously received revocation message, and if the timestamp in the new message is found to have been generated after that of the time-stamp in the last revocation message received, it can immediately be determined as not being a replay. Note however that since datagrams are not guaranteed to arrive in order, it should not be presumed that because the values contained in an Identifier field are timestamps that they will necessarily be increasing with each successive revocation message received. Should an implementor decide to base his replay detection mechanism on increasing timestamps, and therefore increasing Identifier values, a suitable time window should be defined in which revocation messages can be received. At worst, ignoring any revocation message should result in the retransmission of another revocation message, this time with timestamp later than the last one received.
本文档定义的吊销消息使用的重播保护机制旨在防止这两种主动攻击。作为一个好处,通过使用32位时间戳,可以更快地确定撤销消息是否为重播,不过建议读者在这种方法中谨慎使用。接收经过身份验证的撤销消息的代理可以将标识符字段与先前接收到的撤销消息的标识符字段进行比较,并且如果发现新消息中的时间戳是在最后接收到的撤销消息中的时间戳之后生成的,则可以立即将其确定为不是重播。然而,请注意,由于不能保证数据报按顺序到达,因此不应假定,由于标识符字段中包含的值是时间戳,因此它们必然随着接收到的每个连续撤销消息而增加。如果实现者决定将其重播检测机制基于不断增加的时间戳,从而增加标识符值,则应定义适当的时间窗口,在该时间窗口中可以接收撤销消息。在最坏的情况下,忽略任何撤销消息都会导致重新传输另一条撤销消息,这次的时间戳晚于最后一条接收到的撤销消息。
Note that any registration request or reply can be replayed. With the exchanging of time-stamps by agents in revocation extensions, an agent should have a belief that such messages have been delivered in a timely manner. For purposes of registration revocation, the timeliness of a registration packet is simply based on the granularity of each registration. Since [1] provides a replay mechanism for the home agent to use, it has a way to tell if the registration request being presented to it is new. The foreign agent, however, has no such mechanism in place with the mobile node. Foreign agents are advised to continue to consider registrations 'outstanding' until the associated registration reply is returned from the home agent before using the information in any of its visitor entries. Even so, this leaves the foreign agent open to a potential denial of service attack in which registration requests and replies are replayed by multiple nodes. When this happens, the foreign agent could be lead to believe such registrations are active, but with old information, which can have adverse effects on them, as well as to the ability of that agent to successfully use the procedures outlined in this document. Sufficient protection against this scenario is offered by the challenge-response mechanism [2] by which a foreign agent generates a live challenge to a mobile node for the purposes of making sure, among other things, that the registration request is not a replay.
请注意,任何注册请求或回复都可以重播。随着代理在撤销扩展中交换时间戳,代理应该相信这些消息已及时传递。出于注册撤销的目的,注册数据包的及时性仅基于每个注册的粒度。由于[1]提供了一种重播机制供归属代理使用,因此它有一种方法来判断提交给它的注册请求是否是新的。然而,外部代理在移动节点上没有这样的机制。外国代理应继续考虑注册“未完成”,直到相关的注册回复从归属代理返回之前,在其任何访问者条目中使用该信息。即使如此,这也会使外部代理面临潜在的拒绝服务攻击,其中注册请求和回复由多个节点重播。当这种情况发生时,外国代理可能会认为此类注册是有效的,但信息陈旧,可能会对他们以及该代理成功使用本文件所述程序的能力产生不利影响。质询响应机制[2]提供了针对这种情况的充分保护,通过该机制,外部代理向移动节点生成实时质询,以确保注册请求不是重播。
This document defines an additional set of messages between the home and foreign agent specific to the services being provided to the same mobile node, or sub-set of mobile nodes. To ensure correct interoperation based on this specification, IANA has reserved values in the Mobile IP number space for two new message types, and a single new extension.
本文档定义了归属代理和外部代理之间的附加消息集,该消息集特定于向同一移动节点或移动节点子集提供的服务。为了确保基于此规范的正确互操作,IANA在移动IP号码空间中为两种新消息类型和一个新扩展保留了值。
The following message types are introduced by this specification:
本规范介绍了以下消息类型:
Registration Revocation: A new Mobile IP control message, using UDP port 434, type 7. This value has been taken from the same number space as Mobile IP Registration Request (Type = 1), and Mobile IP Registration Reply (Type = 3).
注册撤销:一个新的移动IP控制消息,使用UDP端口434,类型7。此值取自与移动IP注册请求(类型=1)和移动IP注册回复(类型=3)相同的数字空间。
Registration Revocation Acknowledgment: A new Mobile IP control message, using UDP port 434, type 15. This value has been taken from the same number space as Mobile IP Registration Request (Type = 1), and Mobile IP Registration Reply (Type = 3).
注册撤销确认:一个新的移动IP控制消息,使用UDP端口434,类型15。此值取自与移动IP注册请求(类型=1)和移动IP注册回复(类型=3)相同的数字空间。
The following extensions are introduced by this specification:
本规范引入了以下扩展:
Revocation Support Extension: A new Mobile IP Extension, appended to a Registration Request, or Registration Reply. The value assigned is 137. This extension is derived from the Extension number space. It MUST be in the 'skippable' (128 - 255) range as defined in RFC 3344.
撤销支持扩展:一个新的移动IP扩展,附加到注册请求或注册回复中。分配的值为137。此扩展名派生自扩展名编号空间。它必须在RFC 3344中定义的“可跳过”(128-255)范围内。
There are no new Mobile IP error codes introduced by this document.
本文档没有引入新的移动IP错误代码。
[1] Perkins, C., Ed., "IP Mobility Support for IPv4", RFC 3344, August 2002.
[1] Perkins,C.,编辑,“IPv4的IP移动支持”,RFC 3344,2002年8月。
[2] Perkins, C. and P. Calhoun, "Mobile IPv4 Challenge/Response Extensions", RFC 3012, November 2000.
[2] Perkins,C.和P.Calhoun,“移动IPv4挑战/响应扩展”,RFC3012,2000年11月。
[3] Bradner, S., "Key Words for us in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[3] Bradner,S.,“RFC中表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[A] Glass, S., Hiller, T., Jacobs, S. and C. Perkins, "Mobile IP Authentication, Authorization, and Accounting Requirements", RFC 2977, October 2000.
[A] Glass,S.,Hiller,T.,Jacobs,S.和C.Perkins,“移动IP认证、授权和记帐要求”,RFC 29772000年10月。
[B] Aboba, B., Calhoun, P., Glass, S., Hiller, T., McCann, P., Shiino, H., Walsh, P., Zorn, G., Dommety, G., Perkins, C., Patil, B., Mitton, D., Manning, S., Beadles, M., Chen, X., Sivalingham, S., Hameed, A., Munson, M., Jacobs, S., Lim, B., Hirschman, B., Hsu, R., Koo, H., Lipford, M., Campbell, E., Xu, Y., Baba, S. and E. Jaques, "Criteria for Evaluating AAA Protocols for Network Access", RFC 2989, November 2000.
[B] 阿博巴,B.,卡尔霍恩,P.,格拉斯,S.,希勒,T.,麦肯,P.,希诺,H.,沃尔什,P.,佐恩,G.,多梅蒂,G.,帕金斯,C.,帕蒂尔,B.,米顿,D.,曼宁,S.,比德尔,M.,陈,X.,西瓦林厄姆,S.,哈米德,A.,蒙森,M.,雅各布斯,S.,林,B.,赫希曼,B.,许,R.,古,H.,利福,M.,坎贝尔,E.,徐,Y.,巴巴,S.和E.贾克斯,“评估网络接入AAA协议的标准”,RFC 2989,2000年11月。
[C] Montenegro, G., Ed., "Reverse Tunneling for Mobile IP, revised", RFC 3024, January 2001.
[C] 黑山,G.,编辑,“移动IP反向隧道,修订版”,RFC 3024,2001年1月。
[D] Deering, S., Ed., "ICMP Router Discovery Messages", RFC 1256, September 1991.
[D] Deering,S.,编辑,“ICMP路由器发现消息”,RFC 1256,1991年9月。
[E] Calhoun, P. and C. Perkins, "Mobile IP Network Access Identifier Extension for IPv4", RFC 2794, March 2000.
[E] Calhoun,P.和C.Perkins,“IPv4移动IP网络访问标识符扩展”,RFC 27942000年3月。
Appendix A: An Example of the Revocation Messages in Use
附录A:正在使用的撤销消息示例
For clarity, the following example is meant to illustrate the use of the new messages in the registration phase, and the revocation phase. In this example, a foreign agent and home agent will negotiate revocation during the registration phase. During the revocation phase, the foreign agent will revoke the binding of a mobile node.
为清楚起见,以下示例旨在说明在注册阶段和撤销阶段中新消息的使用。在本例中,外国代理和本国代理将在注册阶段协商撤销。在撤销阶段,外部代理将撤销移动节点的绑定。
Consider a foreign agent that supports registration revocation, and has a security association with a home agent to which it is forwarding a registration request. The foreign agent will include the revocation support extension after the mobile-home authenticator. Assume that the foreign agent supports the use of the 'I' bit, and is willing to let the home agent decide if the mobile node should be informed of the revocation of its registration. Thus, the foreign agent will set the 'I' bit to '1'. The foreign agent will append a foreign-home authenticator to the registration request.
考虑支持注册撤销的外部代理,并与其转发注册请求的归属代理具有安全关联。外部代理将在移动家庭身份验证器之后包括撤销支持扩展。假设外部代理支持使用“I”位,并且愿意让归属代理决定是否应通知移动节点其注册的撤销。因此,外部代理将“I”位设置为“1”。外国代理将在注册请求中附加一个外国身份验证器。
Upon receiving the registration request containing a revocation extension, the home agent will include a revocation support extension in the registration reply. Since the foreign agent set the 'I' bit to '1' in its revocation extension, and the home agent supports the use of the 'I' bit, the home agent will set the 'I' bit in its registration extension to '1'. Additionally, the home agent will append a home-foreign authenticator to the registration request.
在收到包含撤销扩展的注册请求后,归属代理将在注册回复中包括撤销支持扩展。由于外部代理在其吊销扩展中将“I”位设置为“1”,并且本国代理支持使用“I”位,因此本国代理将在其注册扩展中将“I”位设置为“1”。此外,归属代理将向注册请求附加一个归属-外部身份验证器。
Upon receiving the authenticated registration reply, the foreign agent will check the revocation support extension and note that the home agent wants to decide if the mobile node should be notified in the event this registration is revoked, i.e., since the home agent set the 'I' bit in the return revocation extension.
在接收到经过认证的注册回复后,外部代理将检查撤销支持扩展,并注意到归属代理希望确定在该注册被撤销的情况下是否应通知移动节点,即,因为归属代理在返回撤销扩展中设置了“i”位。
The foreign agent revokes a mobile node's binding, and generates a revocation message to be sent to the mobile node's home agent. Since the 'I' bit was negotiated in the revocation extensions, and the foreign agent is still willing to let the home agent indicate whether this mobile node should be informed about the revocation, it will set the 'I' bit to '1' in the revocation message. The foreign agent also makes sure the 'A' bit is set to '0'.
外部代理撤销移动节点的绑定,并生成要发送给移动节点的归属代理的撤销消息。由于“I”位是在撤销扩展中协商的,并且外部代理仍然愿意让归属代理指示是否应将撤销通知此移动节点,因此它将在撤销消息中将“I”位设置为“1”。外部代理还确保“A”位设置为“0”。
The foreign agent will also place the address of the mobile node whose registration it wishes to revoke in the home address field, the address that the mobile node registered as the care-of address in the foreign domain field, and the address registered as the home agent in
外部代理还将其希望撤销注册的移动节点的地址放在home address字段中,移动节点在foreign domain字段中注册为转交地址的地址,以及在foreign domain字段中注册为home agent的地址
the home domain address field. The foreign agent will set the Revocation Identifier to the current 32-bit timestamp, and append the foreign-home authenticator.
主域地址字段。外部代理将撤销标识符设置为当前32位时间戳,并附加外部主身份验证器。
Upon receiving the above revocation message, the home agent uses the address identified as the foreign domain address to identify the security association, and authenticate the revocation message. After authenticating the message, the home agent will check to make sure the 'A' bit and Identifier indicate that this revocation is not a replay. The home agent then uses the mobile node home address, foreign domain address, and home domain address to locate the mobile node whose registration is being revoked.
在接收到上述撤销消息后,归属代理使用标识为外域地址的地址来标识安全关联,并对撤销消息进行身份验证。对消息进行身份验证后,归属代理将进行检查,以确保“A”位和标识符指示此撤销不是重播。然后,归属代理使用移动节点的归属地址、外域地址和归属域地址来定位其注册被撤销的移动节点。
Upon processing a valid registration revocation message, the home agent generates a revocation acknowledgment message. Since the 'I' bit was set to '1' in the revocation message and the home agent wishes for the identified mobile node to be informed of the revocation, it will set the 'I' bit in the revocation acknowledgment to '1'. The home agent then copies the home address and the Revocation Identifier field into the revocation acknowledgement. The home agent protects the revocation acknowledgment with a home-foreign authenticator.
在处理有效的注册撤销消息后,归属代理生成撤销确认消息。由于撤销消息中的“I”位设置为“1”,并且归属代理希望将撤销通知已识别的移动节点,因此它将撤销确认中的“I”位设置为“1”。然后,归属代理将归属地址和撤销标识符字段复制到撤销确认中。本地代理使用本地-外部身份验证器保护撤销确认。
Upon receiving a valid revocation acknowledgment (in which the authenticator and Identifier fields are acceptable), the foreign agent checks the state of the 'I' bit. Since the 'I' bit is set to '1', the foreign agent will notify the mobile node of the revocation.
在收到有效的撤销确认(其中验证器和标识符字段是可接受的)后,外部代理检查“I”位的状态。由于“I”位设置为“1”,外部代理将通知移动节点撤销。
Appendix B: Disparate Address, and Receiver Considerations
附录B:不同地址和收件人注意事项
Since the registration revocation message comes from a source address that is topologically routable from the interface receiving the datagram, the agents, by definition, are topologically connected (if this were not the case, the initial registration mechanism would have failed). If either are the ultimate hop from this topologically connected region to one or more disparate address spaces, no problems are foreseen. In order for the mobile node to have successfully registered with its home agent, it MUST have provided to the network (foreign agent) to which it is currently attached a routable address of its home agent. Conversely, the care-of address being used by the mobile node must also be topologically significant to the home agent in order for the registration reply to have been received, and the tunnel initiated. By definition, then, the home agent address and the care-of address must each be significant, and either address must form a unique pair in the context of this mobile node to both agents.
由于注册撤销消息来自可从接收数据报的接口拓扑路由的源地址,根据定义,代理是拓扑连接的(如果不是这种情况,则初始注册机制将失败)。如果其中任何一个是从该拓扑连接区域到一个或多个不同地址空间的最终跃点,则不会出现任何问题。为了使移动节点成功地向其归属代理注册,它必须向其当前连接到的网络(外部代理)提供其归属代理的可路由地址。相反,移动节点正在使用的转交地址对于归属代理也必须具有拓扑意义,以便已经接收到注册应答,并且隧道已经启动。根据定义,那么,归属代理地址和转交地址必须各自是重要的,并且任一地址必须在该移动节点的上下文中对这两个代理形成唯一的对。
Another way of understanding this is that the tunnel endpoints are in some way connected, and hence each are unique as far as the other end is concerned. The address at the other end of the tunnel, in combination with the address of the mobile node, must therefore form a unique pair that can be identified by the agent receiving the registration revocation message.
理解这一点的另一种方式是隧道端点以某种方式连接,因此就另一端而言,每个端点都是唯一的。因此,隧道另一端的地址与移动节点的地址组合必须形成唯一对,该对可由接收注册撤销消息的代理识别。
As an example, consider a mobile node who's home address lies in disparate address space A behind its home agent. In the following diagram, [*] indicates an interface of the entity in which it appears.
作为一个例子,考虑一个移动节点的家乡地址位于其家乡代理后面的不同地址空间A。在下图中,[*]表示它出现的实体的接口。
MN[a]-----[c]FA[b]=====((()))=====[b]HA[a]-----[a]CN
MN[a]-----[c]FA[b]=====((()))=====[b]HA[a]-----[a]CN
Address Some topologically Address Space C connected network Space A
地址某些拓扑地址空间C连接的网络空间A
We presume a binding for MN exists, and hence a tunnel between FA[b] and HA[b] exists. Then, since the address assigned to MN[a] MUST be unique in address space A, the pair {FA[b],MN[a]} is guaranteed to be unique in the binding table of HA, and the pair {HA[b],MN[a]} is guaranteed to be unique in the foreign agent's visitor list.
我们假设MN存在一个结合,因此FA[b]和HA[b]之间存在一个隧道。然后,由于分配给MN[a]的地址在地址空间a中必须是唯一的,所以保证对{FA[b],MN[a]}在HA的绑定表中是唯一的,并且保证对{HA[b],MN[a]}在外部代理的访问者列表中是唯一的。
As a result, a home agent receiving a registration revocation message and foreign-home authenticator for MN[a] from FA[b] is able to determine the unique mobile node address being deregistered. Conversely a foreign agent receiving a registration revocation message and home-foreign authenticator for MN[a] from HA[b] is able to determine the exact mobile node address being deregistered. For this reason, if a foreign agent receives a registration revocation message with the home domain field set to the zero address it MUST be silently discarded. This is to prevent confusion in the case of overlapping private addresses; when multiple mobile nodes are registered via the same care-of address and coincidentally using the same (disparate/private) home address, the home agent address appearing in the home domain field is the only way a foreign agent can discern the difference between these mobile nodes.
结果,从FA[b]接收注册撤销消息和MN[a]的外来归属认证器的归属代理能够确定正在取消注册的唯一移动节点地址。相反地,从HA[b]接收注册撤销消息和MN[a]的本地外部验证器的外部代理能够确定被撤销注册的确切移动节点地址。因此,如果外部代理接收到注册撤销消息,并且home domain字段设置为零地址,则必须以静默方式丢弃该消息。这是为了防止在私人地址重叠的情况下出现混淆;当多个移动节点通过相同的转交地址注册并同时使用相同的(不同/专用)家庭地址时,家庭域字段中出现的家庭代理地址是外部代理识别这些移动节点之间差异的唯一方法。
Acknowledgments
致谢
The authors would like to thank Rajesh Bhalla, Kent Leung, and Alpesh Patel for their contributions to the concepts detailed in draft-subbarao-mobileip-resource-00.txt, "Releasing Resources in Mobile IP," from which the revocation support extension, and the acknowledgment mechanism contained in this document were derived.
作者要感谢Rajesh Bhalla、Kent Leung和Alpesh Patel对draft-subbarao-mobileip-resource-00.txt“在移动IP中释放资源”中详述的概念所做的贡献,本文档中包含的撤销支持扩展和确认机制就是从中派生出来的。
The authors would also like to thank Pete McCann for his discussions on replay mechanisms, and security concerns, and Ahmad Muhanna for pointing out a problem with the initial replay mechanism, which eventually lead to the addition of a time stamp to the Revocation Extension.
作者还想感谢Pete McCann对重播机制和安全问题的讨论,感谢Ahmad Muhanna指出了初始重播机制的一个问题,最终导致在撤销扩展中添加时间戳。
The authors would also like to acknowledge Henrik Levkowetz for his detailed review of the document, and Michael Thomas for his review of the replay mechanism described herein.
作者还要感谢Henrik Levkowetz对该文件的详细审查,以及Michael Thomas对本文所述重播机制的审查。
Authors' Addresses
作者地址
Steven M. Glass Solaris Network Technologies Sun Microsystems 1 Network Drive Burlington, MA. 01801
Steven M.Glass Solaris网络技术公司Sun Microsystems 1网络驱动器,马萨诸塞州伯灵顿。01801
Phone: +1.781.442.0000
Fax: +1.781.442.1706
EMail: steven.glass@sun.com
Phone: +1.781.442.0000
Fax: +1.781.442.1706
EMail: steven.glass@sun.com
Madhavi W. Chandra IOS Technologies Division Cisco Systems 7025 Kit Creek Road Research Triangle Park, NC 27709
Madhavi W.Chandra IOS技术部思科系统7025 Kit Creek Road Research Triangle Park,NC 27709
Phone: +1.919.392.8387
EMail: mchandra@cisco.com
Phone: +1.919.392.8387
EMail: mchandra@cisco.com
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (2003). All Rights Reserved.
版权所有(C)互联网协会(2003年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assignees.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。