Network Working Group                                     E. Fogelstroem
Request for Comments: 4857                                    A. Jonsson
Category: Experimental                                          Ericsson
                                                              C. Perkins
                                                  Nokia Siemens Networks
                                                               June 2007
        
Network Working Group                                     E. Fogelstroem
Request for Comments: 4857                                    A. Jonsson
Category: Experimental                                          Ericsson
                                                              C. Perkins
                                                  Nokia Siemens Networks
                                                               June 2007
        

Mobile IPv4 Regional Registration

移动IPv4区域注册

Status of This Memo

关于下段备忘

This memo defines an Experimental Protocol for the Internet community. It does not specify an Internet standard of any kind. Discussion and suggestions for improvement are requested. Distribution of this memo is unlimited.

这份备忘录为互联网社区定义了一个实验性协议。它没有规定任何类型的互联网标准。要求进行讨论并提出改进建议。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The IETF Trust (2007).

版权所有(C)IETF信托基金(2007年)。

Abstract

摘要

Using Mobile IP, a mobile node registers with its home agent each time it changes care-of address. This document describes a new kind of "regional registrations", i.e., registrations local to the visited domain. The regional registrations are performed via a new network entity called a Gateway Foreign Agent (GFA) and introduce a layer of hierarchy in the visited domain. Regional registrations reduce the number of signaling messages to the home network, and reduce the signaling delay when a mobile node moves from one foreign agent to another within the same visited domain. This document is an optional extension to the Mobile IPv4 protocol.

使用移动IP,移动节点在每次更改转交地址时向其归属代理注册。本文档描述了一种新的“区域注册”,即访问域的本地注册。区域注册通过称为网关外部代理(GFA)的新网络实体执行,并在访问的域中引入层次结构。区域注册减少了到家庭网络的信令消息的数量,并减少了移动节点在同一访问域内从一个外部代理移动到另一个外部代理时的信令延迟。本文档是移动IPv4协议的可选扩展。

Table of Contents

目录

   1. Introduction ....................................................3
   2. Overview of Regional Registrations ..............................4
   3. Terminology .....................................................5
   4. Description of the Protocol .....................................7
      4.1. General Assumptions ........................................7
           4.1.1. Visited Domain ......................................8
           4.1.2. Authentication ......................................8
      4.2. Protocol Overview ..........................................9
      4.3. Advertising Foreign Agent and GFA .........................10
      4.4. Backwards Compatibility with RFC 3344 .....................10
   5. Home Registration ..............................................11
      5.1. Mobile Node Considerations ................................11
        
   1. Introduction ....................................................3
   2. Overview of Regional Registrations ..............................4
   3. Terminology .....................................................5
   4. Description of the Protocol .....................................7
      4.1. General Assumptions ........................................7
           4.1.1. Visited Domain ......................................8
           4.1.2. Authentication ......................................8
      4.2. Protocol Overview ..........................................9
      4.3. Advertising Foreign Agent and GFA .........................10
      4.4. Backwards Compatibility with RFC 3344 .....................10
   5. Home Registration ..............................................11
      5.1. Mobile Node Considerations ................................11
        
      5.2. Foreign Agent Considerations ..............................12
      5.3. GFA Considerations ........................................13
      5.4. Home Agent Considerations .................................14
   6. Regional Registration ..........................................14
      6.1. Mobile Node Considerations ................................15
      6.2. Foreign Agent Considerations ..............................16
      6.3. GFA Considerations ........................................16
   7. Dynamic GFA Assignment .........................................17
      7.1. Mobile Node Considerations for Dynamic GFA Assignment .....17
      7.2. Foreign Agent Considerations for Dynamic GFA Assignment ...17
      7.3. GFA Considerations for Dynamic GFA Assignment .............18
      7.4. Home Agent Considerations for Dynamic GFA Assignment ......18
      7.5. Regional Registration .....................................19
   8. Router Discovery Extensions ....................................19
      8.1. Regional Registration Flag ................................19
      8.2. Foreign Agent NAI Extension ...............................19
   9. Regional Extensions to Mobile IPv4 Registration Messages .......20
      9.1. GFA IP Address Extension ..................................20
      9.2. Hierarchical Foreign Agent Extension ......................21
      9.3. Replay Protection Style ...................................22
      9.4. Regional Registration Lifetime Extension ..................23
      9.5. New Code Values for Registration Reply ....................24
   10. Regional Registration Message Formats .........................25
      10.1. Regional Registration Request ............................26
      10.2. Regional Registration Reply ..............................27
      10.3. New Regional Registration Reply Code Values ..............28
   11. Authentication Extensions .....................................29
   12. Security Considerations .......................................29
   13. IANA Considerations ...........................................30
   14. Acknowledgements ..............................................31
   15. References ....................................................32
      15.1. Normative References .....................................32
      15.2. Informative References ...................................32
   Appendix A. Authentication, Authorization, and Accounting (AAA)
               Interactions ..........................................33
   Appendix B. Anchoring at a GFA ....................................33
        
      5.2. Foreign Agent Considerations ..............................12
      5.3. GFA Considerations ........................................13
      5.4. Home Agent Considerations .................................14
   6. Regional Registration ..........................................14
      6.1. Mobile Node Considerations ................................15
      6.2. Foreign Agent Considerations ..............................16
      6.3. GFA Considerations ........................................16
   7. Dynamic GFA Assignment .........................................17
      7.1. Mobile Node Considerations for Dynamic GFA Assignment .....17
      7.2. Foreign Agent Considerations for Dynamic GFA Assignment ...17
      7.3. GFA Considerations for Dynamic GFA Assignment .............18
      7.4. Home Agent Considerations for Dynamic GFA Assignment ......18
      7.5. Regional Registration .....................................19
   8. Router Discovery Extensions ....................................19
      8.1. Regional Registration Flag ................................19
      8.2. Foreign Agent NAI Extension ...............................19
   9. Regional Extensions to Mobile IPv4 Registration Messages .......20
      9.1. GFA IP Address Extension ..................................20
      9.2. Hierarchical Foreign Agent Extension ......................21
      9.3. Replay Protection Style ...................................22
      9.4. Regional Registration Lifetime Extension ..................23
      9.5. New Code Values for Registration Reply ....................24
   10. Regional Registration Message Formats .........................25
      10.1. Regional Registration Request ............................26
      10.2. Regional Registration Reply ..............................27
      10.3. New Regional Registration Reply Code Values ..............28
   11. Authentication Extensions .....................................29
   12. Security Considerations .......................................29
   13. IANA Considerations ...........................................30
   14. Acknowledgements ..............................................31
   15. References ....................................................32
      15.1. Normative References .....................................32
      15.2. Informative References ...................................32
   Appendix A. Authentication, Authorization, and Accounting (AAA)
               Interactions ..........................................33
   Appendix B. Anchoring at a GFA ....................................33
        
1. Introduction
1. 介绍

This document is an optional extension to the Mobile IPv4 protocol, and proposes a means for mobile nodes to register locally within a visited domain. By registering locally, the number of signaling messages to the home network are kept to a minimum, and the signaling delay is reduced.

本文档是移动IPv4协议的可选扩展,并提出了一种移动节点在访问域中本地注册的方法。通过在本地注册,到家庭网络的信令消息的数量保持在最小,并且信令延迟减少。

In Mobile IP, as specified in [RFC3344], a mobile node registers with its home agent each time it changes care-of address. If the distance between the visited network and the home network of the mobile node is large, the signaling delay for these registrations may be long. We propose a solution for performing registrations locally in the visited domain: regional registrations. Regional registrations minimize the number of signaling messages to the home network, and reduce the signaling delay when a mobile node moves from one foreign agent to another within the same visited domain. This will both decrease the load on the home network, and speed up the process of handover within the visited domain.

在移动IP中,如[RFC3344]中所述,移动节点在每次更改转交地址时向其归属代理注册。如果所访问的网络和移动节点的家庭网络之间的距离大,则这些注册的信令延迟可能长。我们提出了一种在访问域中本地执行注册的解决方案:区域注册。当移动节点在同一访问域内从一个外部代理移动到另一个外部代理时,区域注册最小化到归属网络的信令消息的数量,并减少信令延迟。这将减少家庭网络上的负载,并加快访问域内的切换过程。

Regional registrations introduce a new network node: the Gateway Foreign Agent (GFA). The address of the GFA is advertised by the foreign agents in a visited domain. When a mobile node first arrives at this visited domain, it performs a home registration -- that is, a registration with its home agent. At this registration, the mobile node registers the address of the GFA as its care-of address with its home agent. When moving between different foreign agents within the same visited domain, the mobile node only needs to make a regional registration to the GFA.

区域注册引入了一个新的网络节点:网关外部代理(GFA)。GFA的地址由外国代理商在访问的域中公布。当移动代理第一次到达其主域时,它将执行注册。在该注册时,移动节点向其归属代理注册GFA的地址作为其转交地址。当在同一访问域内的不同外国代理之间移动时,移动节点只需要向GFA进行区域注册。

In their simplest form, regional registrations are performed transparently to the home agent. Additionally, regional registrations may also allow dynamic assignment of GFA. The solution for dynamic GFA assignment requires support in the mobile node, the foreign agent, the GFA, and the home agent.

在最简单的形式中,区域注册对本地代理是透明的。此外,区域注册也允许动态分配GFA。动态GFA分配的解决方案需要移动节点、外部代理、GFA和归属代理的支持。

The proposed regional registration protocol supports one level of foreign agent hierarchy beneath the GFA, but the protocol may be utilized to support several levels of hierarchy. Multiple levels of hierarchy are not discussed in this document.

拟议的区域注册协议支持GFA下的一级外来代理层次结构,但该协议可用于支持多个层次结构。本文档中不讨论多层次结构。

Although this document focuses on regional registrations in visited domains, regional registrations are also possible in the home domain.

虽然本文档重点介绍访问域中的区域注册,但也可以在主域中进行区域注册。

Foreign agents that support regional registrations are also required to support registrations according to Mobile IPv4 [RFC3344].

根据移动IPv4[RFC3344],支持区域注册的外国代理也需要支持注册。

The following section gives an overview of regional registrations.

以下部分概述了区域注册。

2. Overview of Regional Registrations
2. 区域登记概览

In standard Mobile IP, there are three entities of interest. The Mobile Node (MN), the Foreign Agent (FA), and the Home Agent (HA). The MN communicates with the HA, either through an FA or directly (if it has a co-located care-of address). With Regional Registrations, a new entity is defined: the Gateway Foreign Agent (GFA). The GFA sits between the MN/FA and HA, and to the HA, it appears as if the MN's temporary care-of address is that of the GFA. When a MN moves within a site, it only need interact with the GFA, so that the GFA knows at what temporary address the MN is currently reachable.

在标准移动IP中,有三个感兴趣的实体。移动节点(MN)、外部代理(FA)和归属代理(HA)。MN通过FA或直接(如果它有一个共同的托管地址)与HA通信。通过区域注册,定义了一个新实体:网关外国代理(GFA)。总楼面面积位于总楼面面积/总楼面面积和总楼面面积之间,对房委会而言,总楼面面积的临时托管地址似乎是总楼面面积的临时托管地址。当MN在站点内移动时,它只需要与GFA交互,以便GFA知道MN当前可到达的临时地址。

Two types of registration messages are used. Regular [RFC3344] Registration Requests/Replies are still used for when the MN exchanges Registration Requests/Replies with the HA, but these messages get forwarded through a GFA, and include new extensions.

使用两种类型的注册消息。当MN与HA交换注册请求/回复时,仍使用常规[RFC3344]注册请求/回复,但这些消息通过GFA转发,并包括新的扩展。

In addition, a new pair of registration messages, Regional Registration Requests/Replies, are used between MNs/FAs/GFAs for intra-site signaling. A MN uses these messages to communicate its new addresses to the GFA as it moves around within a site.

此外,MNs/FAs/GFA之间使用了一对新的注册消息,即区域注册请求/回复,用于站点内信令。MN在站点内移动时,使用这些消息将其新地址传达给GFA。

There are two models of how the MN uses Regional Registrations. The FA can advertise a GFA to the MN. Alternatively, the FA can indicate that dynamic assignment of GFA is to be used. With dynamic GFA assignment, the MN does not choose the GFA, rather the FA (or GFA) does so after receiving a Registration Request from the MN. However, in this mode the HA must understand (and support) Regional Registrations in order for them to be used. This last form is not transparent because the MN doesn't know in advance what GFA will be used, and cannot include it in a signed message to the HA.

MN如何使用区域注册有两种模式。FA可以向MN发布GFA广告。或者,FA可以指示使用动态分配GFA。对于动态GFA分配,MN不选择GFA,而是FA(或GFA)在收到MN的注册请求后选择GFA。然而,在这种模式下,医管局必须了解(并支持)地区注册,才能使用这些注册。最后一个表单是不透明的,因为MN事先不知道将使用什么GFA,并且不能将其包含在发送给HA的签名消息中。

When a MN moves to a new domain (determined by comparing its Network Access Identifier (NAI) [RFC4282] with the FA-NAI included in received Agent Advertisements), it can opt to use Regional Registrations. A site indicates support for Regional Registrations by setting the I-bit of the Mobile IP Agent Advertisement extension. In addition, such advertisements include a list of one or more care-of addresses. If there is only one care-of address, this is the address of the FA itself. In addition, the advertisement may include the address of the GFA. A GFA care-of address of all-ones indicates that dynamic assignment of GFA is supported.

当MN移动到新域时(通过将其网络访问标识符(NAI)[RFC4282]与接收到的代理广告中包含的FA-NAI进行比较来确定),它可以选择使用区域注册。站点通过设置移动IP代理广告扩展的I位来表示对区域注册的支持。此外,此类广告包括一个或多个转交地址的列表。如果只有一个转交地址,则这是FA本身的地址。此外,广告可能包括GFA的地址。所有的GFA转交地址表示支持动态分配GFA。

A MN requests initial Regional Registration by sending a normal Registration Request to the FA, but setting the care-of address to that of the GFA (i.e., if it has selected it wishes to use this GFA) or all-zeros (which signals a dynamic GFA assignment request). The FA adds a Hierarchical FA (HFA) extension and relays the request to

MN通过向FA发送正常注册请求来请求初始区域注册,但将转交地址设置为GFA的转交地址(即,如果MN已选择希望使用此GFA)或全零(表示动态GFA分配请求)。FA添加分层FA(HFA)扩展,并将请求转发给

the appropriate GFA. The HFA extension contains a single field: the IP address of the FA.

适当的总楼面面积。HFA扩展包含一个字段:FA的IP地址。

Note: the algorithm for MNs with co-located care-of addresses is similar, except that there is no FA, so the MN behaves as the FA in terms of the messages it sends.

注意:对于具有共同定位的转交地址的MNs,其算法类似,只是没有FA,因此MN在发送消息方面的行为与FA相同。

A GFA receives Registration Requests relayed from an FA. If the care-of address in the received Registration Request is zero, the GFA assigns one. A GFA IP Address extension is then added to the Registration Request, and the message is forwarded to the HA. The GFA IP Address extension contains a single field: the IP address of the GFA. (A separate field is needed for this because the Registration Request message between the MN/HA is signed and cannot be modified.)

GFA接收FA转发的注册请求。如果收到的注册请求中的转交地址为零,GFA将分配一个。然后将GFA IP地址扩展添加到注册请求中,并将消息转发给HA。GFA IP地址扩展包含一个字段:GFA的IP地址。(这需要一个单独的字段,因为MN/HA之间的注册请求消息已签名,无法修改。)

HAs process received Registration Requests in the same way as before, except in the case of dynamic GFA assignment. In this case, the HA uses the GFA address from the GFA IP Address extension as the MN's current care-of address. In addition, the Registration Reply message must include the GFA IP Address extension.

除动态GFA分配外,HAs流程以与之前相同的方式接收注册请求。在这种情况下,HA使用来自GFA IP地址扩展的GFA地址作为MN的当前转交地址。此外,注册回复消息必须包括GFA IP地址扩展。

The regular Registration Requests/Replies are protected as described in [RFC3344], by use of the mobility security association between the MN and the HA. For regional registrations, it is assumed that a mobility security association is established between the MN and GFA during registration with the HA. Regional Registration Requests/ Replies are protected by use of this security association between the MN and the GFA, e.g., by use of a MN-GFA Authentication extension.

如[RFC3344]所述,通过使用MN和HA之间的移动安全关联来保护常规注册请求/回复。对于区域注册,假设在向医管局注册期间,MN和GFA之间建立了移动安全协会。通过使用MN和GFA之间的这种安全关联(例如,通过使用MN-GFA身份验证扩展)来保护区域注册请求/回复。

HFA extensions, added by an FA to a Registration Request or Regional Registration Request, are protected by an FA-FA Authentication extension. Security associations between FAs and GFAs within a domain are assumed to exist prior to regional registrations.

由FA添加到注册请求或区域注册请求的HFA扩展受FA-FA身份验证扩展的保护。在区域注册之前,假定域内的FAs和GFA之间存在安全关联。

Dynamic GFA assignment requires means for securely sending Registration Requests from the GFA to the HA, in order to protect the GFA IP Address extension.

动态GFA分配需要安全地从GFA向HA发送注册请求的方法,以保护GFA IP地址扩展。

3. Terminology
3. 术语

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].

本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[RFC2119]中所述进行解释。

This document uses the following terms:

本文件使用以下术语:

Critical type A type value for an extension in the range 0-127, which indicates that the extension MUST either be known to the recipient, or that the message containing the extension MUST be rejected. In other words, an extension with a critical type value is non-skippable.

临界类型范围为0-127的扩展的类型值,表示收件人必须知道该扩展,或者必须拒绝包含该扩展的邮件。换句话说,具有临界类型值的扩展是不可跳过的。

Domain A collection of networks sharing a common network administration.

域共享公共网络管理的网络集合。

Foreign Agent (FA) As defined in [RFC3344].

[RFC3344]中定义的外国代理(FA)。

Gateway Foreign Agent (GFA) A Foreign Agent which has a publicly routable IP address. A GFA may, for instance, be placed in or near a firewall.

网关外部代理(GFA)具有可公开路由IP地址的外部代理。例如,GFA可以放置在防火墙内或防火墙附近。

Home Agent (HA) As defined in [RFC3344].

[RFC3344]中定义的归属代理(HA)。

Home domain The domain where the home network and home agent are located.

家庭域家庭网络和家庭代理所在的域。

Home network As defined in [RFC3344].

[RFC3344]中定义的家庭网络。

Home Registration A registration, processed by the home agent and the GFA, using the specification in [RFC3344] possibly with additional extensions defined in this document.

家庭注册由家庭代理和GFA使用[RFC3344]中的规范处理的注册,可能还有本文件中定义的其他扩展。

Local Care-of Address A care-of address that is assigned to either a mobile node or a foreign agent offering local connectivity to a mobile node. A registration message from the mobile node is subsequently sent to a GFA via the local care-of address.

本地转交地址分配给移动节点或提供移动节点本地连接的外部代理的转交地址。来自移动节点的注册消息随后经由本地转交地址发送到GFA。

Mobile Node (MN) As defined in [RFC3344].

[RFC3344]中定义的移动节点(MN)。

Mobility Agent (MA) As defined in [RFC3344].

[RFC3344]中定义的移动代理(MA)。

Network Access Identifier(NAI) Some features of this protocol specification rely on use of the Network Access Identifier (NAI) [RFC2794].

网络访问标识符(NAI)本协议规范的某些功能依赖于网络访问标识符(NAI)[RFC2794]的使用。

Regional Registration A mobile node performs registration locally at the visited domain, by sending a Regional Registration Request to a GFA, and receiving a Regional Registration Reply in return.

区域注册移动节点通过向GFA发送区域注册请求并接收区域注册回复,在访问域本地执行注册。

Registration Key A key used by mobile nodes and mobility agents to secure certain signals and control messages specified by Mobile IP.

注册密钥移动节点和移动代理使用的密钥,用于保护移动IP指定的特定信号和控制消息。

Visited domain The domain where the visited network, the current foreign agent, and the GFA are located.

访问域访问网络、当前外国代理和GFA所在的域。

Visited network As defined in [RFC3344].

[RFC3344]中定义的访问网络。

4. Description of the Protocol
4. 议定书说明

This section provides an overview of the regional registration protocol.

本节概述了区域注册协议。

4.1. General Assumptions
4.1. 一般假设

Our general model of operation is illustrated in Figure 1, showing a visited domain with FA and GFA, and a home network with a HA:

我们的一般运营模式如图1所示,显示了具有FA和GFA的访问域,以及具有HA的家庭网络:

        +---------------------------+                 +----------------+
        |       Visited Domain      |                 |      Home      |
        |                           |   +---------+   |     Network    |
        |                           |   |         |   |                |
        |  +------+      +-------+  |   | Public  |   |    +------+    |
        |  |  FA  |------|  GFA  |-------------------------|  HA  |    |
        |  +--+---+      +-------+  |   | Network |   |    +------+    |
        |     |                     |   |         |   |                |
        +-----|---------------------+   +---------+   +----------------+
              |
           +--+---+
           |  MN  |
           +------+
        
        +---------------------------+                 +----------------+
        |       Visited Domain      |                 |      Home      |
        |                           |   +---------+   |     Network    |
        |                           |   |         |   |                |
        |  +------+      +-------+  |   | Public  |   |    +------+    |
        |  |  FA  |------|  GFA  |-------------------------|  HA  |    |
        |  +--+---+      +-------+  |   | Network |   |    +------+    |
        |     |                     |   |         |   |                |
        +-----|---------------------+   +---------+   +----------------+
              |
           +--+---+
           |  MN  |
           +------+
        

Figure 1: Model of Operation

图1:运作模式

For MNs that cannot process a NAI, or with mobility agents that are not configured to advertise their NAI, regional registration is still useful, but processing the NAI makes it easier for the mobile node to reliably detect domain changes.

对于不能处理NAI的MN,或者使用未配置为公布其NAI的移动代理,区域注册仍然有用,但是处理NAI使移动节点更容易可靠地检测域更改。

4.1.1. Visited Domain
4.1.1. 访问域

We assume two hierarchy levels of FAs in the visited domain. At the top level of the hierarchy, there is at least one GFA, which is an FA with additional features. A GFA must have a publicly routable address. Beneath a GFA, there are one or more FAs. We assume that there exist established security associations between a GFA and the FAs beneath it. When designing a domain supporting regional registrations, the FAs and GFAs in this domain must be compatible. That is, they should support the same encapsulation types, compression mechanisms, etc.

我们假设访问域中有两个层次结构级别的FA。在层次结构的顶层,至少有一个GFA,这是一个具有附加功能的FA。GFA必须具有可公开路由的地址。在GFA下,有一个或多个FA。我们假设GFA和其下的FAs之间存在已建立的安全关联。在设计支持区域注册的域时,该域中的FAs和GFA必须兼容。也就是说,它们应该支持相同的封装类型、压缩机制等。

When a MN changes care-of address under the same GFA, it MAY perform a regional registration. If the MN changes GFA, within a visited domain or between visited domains, it MUST perform a home registration.

当MN更改同一GFA下的转交地址时,它可以执行区域注册。如果MN在访问域内或访问域之间更改GFA,则必须执行家庭注册。

4.1.2. Authentication
4.1.2. 认证

With regional registrations, a GFA address is registered at the HA as the care-of address of the MN. If a Mobile-Foreign (MN-FA) Authentication extension is present in a Registration Request message directed to the HA, the GFA will perform the authentication. Similarly, if a Foreign-Home (FA-HA) Authentication extension is present in a Registration Request message, the authentication is performed between the GFA and the HA. To summarize, the GFA takes the role of an FA with regard to security associations in the home registrations.

在地区注册的情况下,总楼面面积地址在医管局注册为MN的托管地址。如果定向到HA的注册请求消息中存在移动外部(MN-FA)认证扩展,则GFA将执行认证。类似地,如果注册请求消息中存在外国家庭(FA-HA)认证扩展,则在GFA和HA之间执行认证。总而言之,GFA在住宅注册中扮演FA的角色,涉及安全协会。

Regional registration messages also need to be protected with authentication extensions in the same way as registrations with the HA. This means that the MN and the GFA MUST have received the keys needed to construct the authentication extensions before any regional registration is performed. As described above, since the GFA address is the registered care-of address of the MN at its home network, the GFA is the agent within the visited domain that has to have the appropriate security associations with the HA and the MN. The GFA's security association with the MN is then used to enable proper authentication for regional registrations (see Section 6). How the keys are distributed is outside the scope of this draft. One example is to distribute the keys as part of the home registration, for example according to [RFC4004] and [RFC3957]. Another example is pre-configured keys.

地区注册信息也需要通过身份验证扩展进行保护,保护方式与向医管局注册的方式相同。这意味着在执行任何区域注册之前,MN和GFA必须已收到构造认证扩展所需的密钥。如上所述,由于GFA地址是MN在其家庭网络中的注册转交地址,因此GFA是访问域中必须与HA和MN具有适当安全关联的代理。然后,GFA与MN的安全关联用于对区域注册进行适当认证(见第6节)。密钥的分发方式超出了本草案的范围。例如,根据[RFC4004]和[RFC3957]将密钥作为家庭注册的一部分分发。另一个例子是预配置的密钥。

4.2. Protocol Overview
4.2. 协议概述

When a MN first arrives at a visited domain, it performs a registration with its home network. During this registration, the HA registers the care-of address of the MN. In case the visited domain supports regional registrations, the care-of address that is registered at the HA is the address of a GFA. The GFA keeps a visitor list of all the MNs currently registered with it.

当MN第一次到达访问的域时,它在其家庭网络中执行注册。在此注册期间,医管局会注册MN的转交地址。如果访问域支持区域注册,则在HA注册的转交地址为GFA的地址。政府飞行管理局保存了一份访客名单,列出了目前在该局注册的所有MN。

Since the care-of address registered at the HA is the GFA address, it will not change when the MN changes FA under the same GFA. Thus, the HA does not need to be informed of further MN movements within the visited domain.

由于在医管局登记的托管地址是总楼面面积地址,因此当MN根据同一总楼面面积更改固定楼面面积时,该地址不会更改。因此,无需通知医管局在访问域内的进一步MN移动。

Figure 2 illustrates the signaling message flow for home registration. During the home registration, the HA records the GFA address as the care-of address of the MN.

图2说明了家庭注册的信令消息流。在家庭登记期间,房委会会将总楼面面积地址记录为MN的托管地址。

     MN                     FA1                     GFA              HA
     |                       |                       |                |
     | Registration Request  |                       |                |
     |---------------------->|  Reg.  Request        |                |
     |                       |---------------------->|  Reg.  Request |
     |                       |                       |--------------->|
     |                       |                       |   Reg.  Reply  |
     |                       |  Reg.  Reply          |<---------------|
     |  Registration Reply   |<----------------------|                |
     |<----------------------|                       |                |
     |                       |                       |                |
        
     MN                     FA1                     GFA              HA
     |                       |                       |                |
     | Registration Request  |                       |                |
     |---------------------->|  Reg.  Request        |                |
     |                       |---------------------->|  Reg.  Request |
     |                       |                       |--------------->|
     |                       |                       |   Reg.  Reply  |
     |                       |  Reg.  Reply          |<---------------|
     |  Registration Reply   |<----------------------|                |
     |<----------------------|                       |                |
     |                       |                       |                |
        

Figure 2: Home Registration

图2:家庭登记

Figure 3 illustrates the signaling message flow for regional registration. Even though the MN's local care-of address changes, the HA continues to use the GFA address as the care-of address of the MN. We introduce two new message types for regional registrations: Regional Registration Request and Regional Registration Reply.

图3说明了区域注册的信令消息流。即使MN的本地托管地址发生变化,医管局仍继续使用GFA地址作为MN的托管地址。我们为区域注册引入了两种新的消息类型:区域注册请求和区域注册回复。

     MN                     FA2                            GFA       HA
     |                       |                              |         |
     | Regional Reg.  Req.   |                              |         |
     |---------------------->| Regional Registration  Req.  |         |
     |                       |----------------------------->|         |
     |                       | Regional Registration Reply  |         |
     | Regional Reg.  Reply  |<-----------------------------|         |
     |<----------------------|                              |         |
     |                       |                              |         |
        
     MN                     FA2                            GFA       HA
     |                       |                              |         |
     | Regional Reg.  Req.   |                              |         |
     |---------------------->| Regional Registration  Req.  |         |
     |                       |----------------------------->|         |
     |                       | Regional Registration Reply  |         |
     | Regional Reg.  Reply  |<-----------------------------|         |
     |<----------------------|                              |         |
     |                       |                              |         |
        

Figure 3: Regional Registration

图3:区域登记

4.3. Advertising Foreign Agent and GFA
4.3. 国外广告代理商与GFA

A FA typically announces its presence via an Agent Advertisement message [RFC3344]. If the domain to which an FA belongs supports regional registrations, the following changes apply to the Agent Advertisement.

FA通常通过代理广告消息[RFC3344]宣布其存在。如果FA所属的域支持区域注册,则以下更改适用于代理广告。

The 'I' flag (see Section 8.1) MUST be set to indicate that the domain supports regional registrations. If the 'I' flag is set, there MUST be at least one care-of address in the Agent Advertisement. If the 'I' flag is set and there is only one care-of address, it is the address of the FA. If the 'I' flag is set, and there is more than one care-of address, the first care-of address is the local FA, and the last care-of address is the GFA. (Any care-of addresses advertised in addition to these two are out of scope for this document).

“I”标志(见第8.1节)必须设置为表明域支持区域注册。如果设置了“I”标志,则代理广告中必须至少有一个转交地址。如果设置了“I”标志且只有一个转交地址,则该地址为FA的地址。如果设置了“I”标志,并且存在多个转交地址,则第一个转交地址为本地FA,最后一个转交地址为GFA。(除这两个地址外,任何公布的转交地址均不在本文件范围内)。

The FA-NAI (see Section 8.2) SHOULD also be present in the Agent Advertisement to enable the MN to decide whether or not it has moved to a new domain since its last registration. The decision is based on whether the realm part of the advertised FA-NAI matches the realm of the FA-NAI advertised by the MN's previous FA.

FA-NAI(见第8.2节)也应出现在代理广告中,以使MN能够决定自上次注册以来是否已转移到新域。该决定基于所公布的FA-NAI的领域部分是否与MN先前FA所公布的FA-NAI的领域相匹配。

4.4. Backwards Compatibility with RFC 3344
4.4. 与RFC 3344的向后兼容性

A domain that supports regional registrations should also be backwards compatible.

支持区域注册的域也应该向后兼容。

An FA MUST support registrations according to Mobile IPv4 as defined in [RFC3344]. This allows MNs that don't support regional registrations to register via this FA using standard Mobile IPv4. If the FA advertises both its own care-of address and a GFA care-of address, a MN that supports regional registrations but has a HA that doesn't, will still be able to make use of regional registrations through that GFA care-of address.

FA必须支持根据[RFC3344]中定义的移动IPv4进行注册。这允许不支持区域注册的MN使用标准移动IPv4通过此FA注册。如果FA同时宣传其自己的转交地址和GFA转交地址,则支持区域注册但拥有不支持区域注册的HA的MN仍将能够通过该GFA转交地址使用区域注册。

The advertised GFA care-of address MAY be set to all-ones, to indicate dynamic GFA assignment. If the MN supports regional registrations, and an all-ones GFA care-of address is advertised, the MN SHOULD use dynamic GFA assignment (see Section 7.1).

可将公布的GFA转交地址设置为所有地址,以指示动态GFA分配。如果MN支持区域注册,并且公布了所有ones GFA转交地址,MN应使用动态GFA分配(见第7.1节)。

5. Home Registration
5. 家庭登记

This section gives a detailed description of home registration, i.e., registration with the HA (on the home network). Home registration is performed when a MN first arrives at a visited domain, when it requests a new HA, or when it changes GFA. Home registration is also performed to renew bindings which would otherwise expire.

本节详细介绍了家庭注册,即向HA注册(在家庭网络上)。当MN第一次到达访问域、请求新HA或更改GFA时,执行家庭注册。家庭注册还用于更新绑定,否则绑定将过期。

5.1. Mobile Node Considerations
5.1. 移动节点注意事项

Upon receipt of an Agent Advertisement message with the 'I' flag set and an FA-NAI extension, the MN compares the domain part of the FA NAI with the one received in the previous Agent Advertisement, to determine whether it has moved to a new domain since its last registration. If the NAIs do not match, the MN MUST assume it has moved to a new domain.

在接收到设置了“I”标志和FA-NAI扩展的代理广告消息时,MN将FA-NAI的域部分与在先前代理广告中接收到的域部分进行比较,以确定自上次注册以来它是否已移动到新域。如果NAI不匹配,MN必须假定它已移动到新域。

If the MN determines that it has moved to a new domain, it SHOULD insert the advertised GFA address in the care-of address field in the Registration Request message. For dynamic GFA assignment, see Section 7.1.

如果MN确定其已移动到新域,则应在注册请求消息的转交地址字段中插入公布的GFA地址。有关动态GFA分配,请参见第7.1节。

A MN with a co-located care-of address might also want to use regional registrations. It then finds out the address of a GFA, either from Agent Advertisements sent by an FA, or by some means not described in this document. The MN MAY then generate a Registration Request message, with the GFA address in the care-of address field, and send it directly to the GFA (not via an FA). In this case, the MN MUST add a Hierarchical Foreign Agent (HFA) extension (see Section 9.2), including its co-located care-of address, to the Registration Request before sending it. The HFA extension MUST be protected by an authentication extension. If the MN has established a mobility security association with the GFA, the HFA extension MUST be placed before the MN-FA Authentication extension, and it SHOULD be placed after the Mobile-Home (MN-HA) Authentication extension. Otherwise, if the MN has no established mobility security association with the GFA, the HFA extension MUST be placed before the MN-HA authentication extension.

具有共同托管地址的MN也可能希望使用区域注册。然后通过FA发送的代理广告或本文件中未描述的某种方式,找出GFA的地址。然后,MN可以生成注册请求消息,其中GFA地址位于转交地址字段中,并将其直接发送给GFA(而不是经由FA)。在这种情况下,MN必须在发送注册请求之前,在注册请求中添加一个分级外部代理(HFA)扩展(见第9.2节),包括其共同定位的转交地址。HFA扩展必须受到身份验证扩展的保护。如果MN已与GFA建立移动安全关联,则HFA扩展必须放在MN-FA认证扩展之前,并且应该放在移动家庭(MN-HA)认证扩展之后。否则,如果MN没有与GFA建立移动安全关联,则必须将HFA扩展置于MN-HA认证扩展之前。

If the MN receives an Agent Advertisement with the 'R' bit set, even if it has a co-located care-of address, it still formulates the same Registration Request message with extensions, but it sends the message to the advertising FA instead of to the GFA.

如果MN接收到设置了“R”位的代理广告,即使它有一个同一位置的转交地址,它仍然制定具有扩展的相同注册请求消息,但是它将消息发送到广告FA而不是GFA。

If the home registration is about to expire, the MN performs a new home registration using the same GFA care-of address to refresh the binding [RFC3344]. If the MN has just moved to a new FA and not yet sent a Regional Registration Request when the home registration is due to expire, the MN sends only a Registration Request, as this will update both the GFA and the HA.

如果家庭注册即将到期,MN将使用相同的GFA转交地址执行新的家庭注册以刷新绑定[RFC3344]。如果MN刚刚迁移到新的FA,并且在家庭注册到期时尚未发送区域注册请求,MN只发送注册请求,因为这将更新GFA和HA。

If the Registration Reply includes a Replay Protection Style extension, the value in the Initial Identification field is the value to be used for replay protection in the next Regional Registration Request (see Section 6.1).

如果注册回复包含重播保护样式扩展,则初始标识字段中的值是下一个区域注册请求中用于重播保护的值(参见第6.1节)。

5.2. Foreign Agent Considerations
5.2. 外国代理人的考虑

When the FA receives a Registration Request message from a MN, it extracts the care-of address field to find the GFA to which the message shall be relayed. All FAs that advertise the 'I' flag MUST also be able to handle Registration Requests with an all-zeros care-of address (used for dynamic GFA assignment).

当FA从MN接收到注册请求消息时,它提取转交地址字段以查找消息应转发到的GFA。所有播发“I”标志的FAs还必须能够使用全零转交地址(用于动态GFA分配)处理注册请求。

If the FA receives a Registration Request where the care-of address is set to all-ones (which could happen if a MN that doesn't support Regional Registrations copied an all-ones care-of address from an Agent Advertisement), it MUST reply with the Code field set to "poorly formed request" [RFC3344].

如果FA收到一个注册请求,其中转交地址设置为all ones(如果不支持区域注册的MN从代理广告复制了all ones转交地址,则可能发生这种情况),则FA必须将代码字段设置为“格式错误的请求”[RFC3344]进行回复。

If the Registration Request has the 'T' bit set, the MN is requesting Reverse Tunneling [RFC3024]. In this case, the FA has to tunnel packets from the MN to the GFA for further handling.

如果注册请求设置了“T”位,则MN请求反向隧道[RFC3024]。在这种情况下,FA必须通过隧道将数据包从MN传输到GFA以进行进一步处理。

If the care-of address in the Registration Request is the address of the FA, the FA relays the message directly to the HA, as described in [RFC3344]. For each pending or current home registration, the FA maintains a visitor list entry as described in [RFC3344]. If reverse tunneling is being used, the visitor list MUST contain the address of the GFA, in addition to the fields required in [RFC3344].

如果注册请求中的转交地址是FA的地址,FA将消息直接转发给HA,如[RFC3344]中所述。对于每个待处理或当前的家庭注册,FA维护一个访客列表条目,如[RFC3344]所述。如果使用反向隧道,除[RFC3344]中要求的字段外,访客列表必须包含GFA的地址。

Otherwise, if the care-of address in the Registration Request is the address of a GFA (or all-zeros), the FA adds a Hierarchical Foreign Agent (HFA) extension, including its own address, to the Registration Request, and relays it to the GFA. The HFA extension MUST be appended at the end of all previous extensions that were included in the Registration Request when the FA received it, and it MUST be protected by a Foreign-Foreign (FA-FA) Authentication extension (see Section 11).

否则,如果注册请求中的转交地址是GFA的地址(或全零),FA会向注册请求中添加一个分级外部代理(HFA)扩展,包括其自己的地址,并将其转发给GFA。当FA收到HFA扩展时,必须在注册请求中包含的所有先前扩展的末尾追加HFA扩展,并且必须受外来(FA-FA)认证扩展的保护(见第11节)。

5.3. GFA Considerations
5.3. 总楼面面积考虑因素

For each pending or current home registration, the GFA maintains a visitor list entry as described in [RFC3344]. This visitor list entry is also updated for the regional registrations performed by the MN. In addition to the fields required in [RFC3344], the list entry MUST contain:

对于每个待处理或当前的家庭登记,GFA维护一个访客列表条目,如[RFC3344]所述。对于MN执行的区域注册,该访客列表条目也会更新。除[RFC3344]中要求的字段外,列表条目必须包含:

o the current care-of address of the MN (i.e., the FA or co-located address) received in the HFA extension o the remaining Lifetime of the regional registration o the style of replay protection in use for the regional registration o the Identification value for the regional registration.

o HFA扩展中接收到的MN的当前转交地址(即FA或同处地址)o区域注册的剩余生存期o区域注册使用的重放保护类型o区域注册的标识值。

The default replay protection style for regional registrations is timestamp-based replay protection, as defined in Mobile IPv4 [RFC3344]. If the timestamp sent by the MN in the Registration Request is not close enough to the GFA's time-of-day clock, the GFA adds a Replay Protection Style extension (see Section 9.3) to the Registration Reply, with the GFA's time of day in the Identification field to synchronize the MN with the GFA for the regional registrations.

区域注册的默认重播保护样式是基于时间戳的重播保护,如移动IPv4[RFC3344]中所定义。如果注册请求中MN发送的时间戳与GFA的时间时钟不够接近,GFA会在注册回复中添加重播保护样式的扩展(见第9.3节),GFA的时间在标识字段中,以使MN与GFA在区域注册中同步。

If nonce-based replay protection is used, the GFA adds a Replay Protection Style extension to the Registration Reply, where the high-order 32 bits in the Identification fields is the nonce that should be used by the MN in the following regional registration.

如果使用基于nonce的重放保护,GFA将重放保护样式扩展添加到注册应答中,其中标识字段中的高阶32位是MN应在以下区域注册中使用的nonce。

If the Registration Request contains a Replay Protection Style extension (see Section 9.3) requesting a style of replay protection not supported by the GFA, the GFA MUST reject the Registration Request and send a Registration Reply with the value in the Code field set to REPLAY_PROT_UNAVAIL (see Section 9.5).

如果注册请求包含重播保护样式扩展(见第9.3节),请求GFA不支持的重播保护样式,GFA必须拒绝注册请求并发送注册回复,代码字段中的值设置为Replay_PROT_UNAVAIL(见第9.5节)。

If the Hierarchical Foreign Agent (HFA) extension comes after the MN-FA Authentication extension, the GFA MUST remove it from the Registration Request. The GFA then sends the Registration Request to the HA. Upon receipt of the Registration Reply, the GFA consults its pending registration record to find the care-of address within its domain that is currently used by the MN, and sends the Registration Reply to that care-of address.

如果分级外部代理(HFA)扩展位于MN-FA身份验证扩展之后,GFA必须将其从注册请求中删除。然后,政府飞行管理局向医管局发送注册请求。收到注册回复后,GFA查阅其未决注册记录,以查找MN当前使用的其域内的转交地址,并将注册回复发送至该转交地址。

If the Replay Protection Style extension (see Section 9.3) is present in a Registration Request, and follows the MN-HA Authentication extension, the GFA SHOULD remove the Replay Protection Style extension after performing any necessary processing and before sending the Registration Request to the HA.

如果注册请求中存在重播保护样式扩展(见第9.3节),并且遵循MN-HA身份验证扩展,则GFA应在执行任何必要的处理后并在向HA发送注册请求之前删除重播保护样式扩展。

If the GFA receives a Registration Request from a MN that it already has a mobility binding for, this is an update of a binding that is about to expire. If the address in the Hierarchical Foreign Agent (HFA) extension is the same as the current care-of address in the visitor list for the MN, the entries in the visitor list concerning regional registrations are not changed, except to update the lifetime. If the address in the HFA extension is a new address, the values for the regional registration are updated.

如果GFA收到来自MN的注册请求,并且该MN已经具有移动绑定,则这是即将到期的绑定的更新。如果分级外部代理(HFA)扩展中的地址与MN访客列表中的当前托管地址相同,则访客列表中有关区域注册的条目不会更改,除非更新生存期。如果HFA扩展中的地址是新地址,则会更新区域注册的值。

If the Registration Request has the 'T' bit set, the GFA has to decapsulate the packets from the FA and re-encapsulate them for further delivery back to the HA. These actions are required because the HA has to receive such packets from the expected care-of address (i.e., that of the GFA) instead of the local care-of address (i.e., that of the FA).

如果注册请求设置了“T”位,则GFA必须将数据包从FA中解封并重新封装,以便进一步传递回HA。之所以需要采取这些行动,是因为医管局必须从预期转交地址(即GFA的转交地址)而不是本地转交地址(即FA的转交地址)接收此类数据包。

When receiving a Registration Reply from the HA, the GFA MAY add a Regional Registration Lifetime extension to the message before relaying it to the FA. The extension defines the lifetime that the GFA allows the MN before it has to renew its regional registration. The GFA MUST set the lifetime of the regional registration to be no greater than the remaining lifetime of the MN's registration with its HA. If used, the Regional Registration Lifetime extension MUST be added after any other extensions, and MUST be protected by an MN-FA Authentication extension.

当收到医管局的注册回复时,政府飞行管理局可在将消息转发给足总之前,在消息中添加区域注册生存期延长。延长定义了GFA允许MN在必须更新其区域注册之前的生存期。GFA必须将区域注册的有效期设置为不大于MN向其HA注册的剩余有效期。如果使用,则必须在任何其他扩展之后添加区域注册生存期扩展,并且必须受到MN-FA身份验证扩展的保护。

5.4. Home Agent Considerations
5.4. 国内代理考虑事项

The Registration Request is processed by the HA as described in [RFC3344].

注册请求由HA按照[RFC3344]中所述进行处理。

6. Regional Registration
6. 区域登记

This section describes regional registrations. Once the HA has registered the GFA address as the care-of address of the MN, the MN may perform regional registrations. When performing regional registrations, the MN may either register an FA care-of address or a co-located address with the GFA. In the following, we assume that a home registration has already occurred, as described in Section 5, and that the GFA has a mobility security association with the MN.

本节介绍区域注册。一旦医管局将总楼面面积地址注册为MN的托管地址,MN可进行区域注册。在执行区域注册时,MN可以向GFA注册FA托管地址或同一地址。在下文中,我们假设如第5节所述,已经进行了家庭注册,并且GFA与MN存在移动安全关联。

Suppose the MN moves from one FA to another FA within the same visited domain. It will then receive an Agent Advertisement from the new FA. Suppose further that the Agent Advertisement indicates that the visited domain supports regional registrations, and either that the advertised GFA address is the same as the one the MN has registered as its care-of address during its last home registration, or that the realm part of the newly advertised FA-NAI matches the FA-

假设MN在同一访问域内从一个FA移动到另一个FA。然后,它将收到来自新FA的代理广告。进一步假设代理广告指示访问的域支持区域注册,并且广告的GFA地址与MN在其最后一次家庭注册期间注册为其转交地址的地址相同,或者新广告的FA-NAI的领域部分与FA匹配-

NAI advertised by the MN's previous FA. Then, the MN can perform a regional registration with this FA and GFA. The MN issues a Regional Registration Request to the GFA via the new FA. The request is authenticated using the existing mobility security association between the GFA and the MN and the message is authenticated by the MN-GFA Authentication extension (see Section 11). The care-of address should be set to the address of the local FA.

NAI由MN的前FA发布广告。然后,MN可以向该FA和GFA执行区域注册。MN通过新FA向GFA发出区域注册请求。使用GFA和MN之间的现有移动安全关联对请求进行身份验证,并且消息由MN-GFA身份验证扩展进行身份验证(参见第11节)。转交地址应设置为当地FA的地址。

If the Regional Registration Request contains a care-of address field of all-zeros, the FA adds a Hierarchical Foreign Agent (HFA) extension to the message and relays it to the GFA. Based on the information in the HFA extension, the GFA updates the MN's current point of attachment in its visitor list. The GFA then issues a Regional Registration Reply to the MN via the FA.

如果区域注册请求包含一个全部为零的转交地址字段,FA将向消息添加一个分级外部代理(HFA)扩展,并将其转发给GFA。根据HFA扩展中的信息,GFA在其访客列表中更新MN的当前连接点。GFA然后通过FA向MN发布区域注册回复。

If the advertised GFA is not the same as the one the MN has registered as its care-of address, and if the MN is still within the same domain as it was when it registered that care-of address, the MN MAY try to perform a regional registration with its registered GFA. If the FA cannot support regional registration to a GFA, other than advertised, the FA denies the Regional Registration Request with code UNKNOWN_GFA (see Section 10.3). In this case, the MN has to do a new home registration via the new GFA.

如果公布的GFA与MN注册为其托管地址的GFA不同,并且如果MN仍在注册该托管地址时的同一域内,MN可以尝试使用其注册的GFA进行区域注册。如果FA不能支持向GFA进行区域注册(广告除外),FA将拒绝代码未知的区域注册请求(参见第10.3节)。在这种情况下,MN必须通过新的GFA进行新的住宅注册。

New message types are introduced for the Regional Registration Request and Reply. The motivation for introducing new message types, rather than using the Registration Request and Reply defined in [RFC3344] is: (1) the MN must be able to distinguish regional registrations from home registrations, since in the former case the timestamps/nonces are synchronized with its GFA and in the latter with its HA; and (2) a home registration MUST be directed to the home network before the lifetime of the GFA care-of address expires.

区域注册请求和回复引入了新的消息类型。引入新的消息类型,而不是使用[RFC3344]中定义的注册请求和应答的动机是:(1)MN必须能够区分区域注册和本地注册,因为在前一种情况下,时间戳/非时间戳与其GFA同步,在后一种情况下与其HA同步;和(2)家庭注册必须在GFA转交地址的有效期到期之前定向到家庭网络。

6.1. Mobile Node Considerations
6.1. 移动节点注意事项

For each pending or current home registration, the MN maintains the information described in [RFC3344]. The information is also updated for the regional registrations performed by the MN. In addition to the information described in [RFC3344], the MN MUST maintain the following information, if present:

对于每个挂起的或当前的家庭注册,MN维护[RFC3344]中描述的信息。MN执行的区域注册也会更新信息。除[RFC3344]中所述的信息外,MN还必须保存以下信息(如有):

o the GFA address o the remaining Lifetime of the regional registration o the style of replay protection in use for the regional registration o the Identification value for the regional registration.

o GFA地址o区域注册的剩余生存期o区域注册使用的重播保护类型o区域注册的标识值。

The replay protection for home registrations and regional registrations is performed as described in [RFC3344]. Since the MN performs regional registrations at the GFA in parallel with home registrations at the HA, the MN MUST be able to keep one replay protection mechanism and sequence for the GFA, and a separate mechanism and sequence for the HA.

如[RFC3344]中所述,对本地注册和区域注册执行重播保护。由于MN在GFA执行区域注册与在HA执行家庭注册并行,MN必须能够为GFA保留一个重播保护机制和顺序,并为HA保留一个单独的机制和顺序。

For regional registrations, replay protection may also be provided at the FA by the challenge-response mechanism, as described in [RFC4721].

对于区域注册,如[RFC4721]所述,也可通过质询响应机制在FA处提供重播保护。

6.2. Foreign Agent Considerations
6.2. 外国代理人的考虑

When the FA receives a Regional Registration Request from a MN, addressed to a GFA, it generally processes the message according to the rules of processing a Registration Request addressed to a HA (see Section 5.2). The only difference is that the GFA IP address field replaces the HA address field. If that address belongs to a known GFA, the FA forwards the request to the indicated GFA. Otherwise, the FA MUST generate a Regional Registration Reply with error code UNKNOWN_GFA.

当FA收到MN向GFA发出的区域注册请求时,通常会根据处理向HA发出的注册请求的规则处理该消息(见第5.2节)。唯一的区别是GFA IP地址字段替换HA地址字段。如果该地址属于已知的GFA,FA将请求转发给指定的GFA。否则,FA必须生成错误代码未知的地区注册回复。

For each pending or current registration, the FA maintains a visitor list entry as described in [RFC3344]. If reverse tunneling is being used, the visitor list MUST contain the address of the GFA, in addition to the fields required in [RFC3344]. This is required so that the FA can tunnel datagrams, sent by the MN, to the GFA. The GFA then decapsulates the datagrams, re-encapsulates them, and sends them to the HA.

对于每个待登记或当前登记,FA维护一个访客列表条目,如[RFC3344]所述。如果使用反向隧道,除[RFC3344]中要求的字段外,访客列表必须包含GFA的地址。这是必需的,以便FA可以将MN发送的数据报隧道传输到GFA。GFA然后对数据报进行解封、重新封装,并将其发送给HA。

6.3. GFA Considerations
6.3. 总楼面面积考虑因素

If the GFA accepts a Regional Registration Request, it MUST set the lifetime of the regional registration to be no greater than the remaining lifetime of the MN's registration with its HA, and put this lifetime into the corresponding Regional Registration Reply. The GFA MUST NOT accept a request for a regional registration if the lifetime of the MN's registration with its HA has expired. In that case, the GFA sends a Regional Registration Reply with the value in the Code field set to NO_HOME_REG.

如果GFA接受区域注册请求,则必须将区域注册的生存期设置为不大于MN向其HA注册的剩余生存期,并将此生存期放入相应的区域注册回复中。如果MN在其医管局的注册有效期已过,GFA不得接受区域注册请求。在这种情况下,GFA发送区域注册回复,代码字段中的值设置为NO_HOME_REG。

If the GFA receives a tunneled packet from an FA in its domain, then after decapsulation the GFA looks to see whether it has an entry in its visitor list for the source IP address of the inner IP header after decapsulation. If so, it checks the visitor list to see whether reverse tunneling has been requested; if it was requested, the GFA re-encapsulates the packet with its own address as the source IP address, and the address of the HA as the destination IP address.

如果GFA从其域中的FA接收到隧道数据包,则在解除封装后,GFA会查看其访客列表中是否有一个条目,用于解除封装后的内部IP报头的源IP地址。如果是,则检查访客列表,查看是否已请求反向隧道;如果有请求,GFA将使用其自己的地址作为源IP地址,HA的地址作为目标IP地址来重新封装数据包。

7. Dynamic GFA Assignment
7. 动态GFA分配

Regional registrations may also allow dynamic assignment of a GFA to a MN. The visited network (i.e., the FA) indicates support for dynamic GFA assignment by advertising an all-ones care-of address in the Agent Advertisement. The MN then sets the care-of address in the Registration Request to all-zeros to request a dynamically assigned GFA. Upon receiving this Registration Request, the FA relays it to the appropriate GFA, and the GFA assigns its address to the MN by means of a GFA IP Address extension added to the Registration Request.

区域注册也可允许将GFA动态分配给MN。访问的网络(即FA)通过在代理广告中公布“所有人”转交地址来表示对动态GFA分配的支持。然后,MN将注册请求中的转交地址设置为全零,以请求动态分配的GFA。收到此注册请求后,FA将其转发给相应的GFA,GFA通过添加到注册请求中的GFA IP地址扩展将其地址分配给MN。

In order for dynamic GFA assignment to work, the MN, GFA, and HA, respectively, MUST support the GFA IP Address extension. Also, the FA MUST be able to advertise an all-ones care-of address and handle a Registration Request with an all-zeros care-of address.

为了使动态GFA分配工作,MN、GFA和HA必须分别支持GFA IP地址扩展。此外,足总必须能够公布一个全一托管地址,并使用一个全零托管地址处理注册请求。

Note also that protection of the GFA IP Address extension, added to the Registration Request, requires either the use of an FA-HA Authentication extension or other means to secure the Registration Request when forwarded from the GFA to the HA.

还请注意,对添加到注册请求中的GFA IP地址扩展的保护需要使用FA-HA认证扩展或其他方式,以在从GFA转发到HA时保护注册请求。

7.1. Mobile Node Considerations for Dynamic GFA Assignment
7.1. 动态GFA分配的移动节点注意事项

If the 'I' flag in the Agent Advertisement sent out by the FA is set, and the care-of address indicating the GFA is set to all-ones, this indicates support for dynamic GFA assignment.

如果FA发出的代理广告中设置了“I”标志,并且表示GFA的转交地址设置为“所有”,则表示支持动态GFA分配。

If the MN supports dynamic GFA assignment, and if the advertised GFA address is all-ones, the MN SHOULD set the care-of address field in the Registration Request to all-zeros to request to be assigned a GFA.

如果MN支持动态GFA分配,并且如果公布的GFA地址均为1,则MN应将注册请求中的转交地址字段设置为全零,以请求分配GFA。

When requesting dynamic GFA assignment, the MN MUST check to make sure that it receives a GFA IP Address extension in the Registration Reply.

当请求动态GFA分配时,MN必须检查以确保其在注册回复中收到GFA IP地址扩展。

7.2. Foreign Agent Considerations for Dynamic GFA Assignment
7.2. 动态GFA分配的外国代理考虑因素

If an FA supports dynamic GFA assignment, and receives a Registration Request with the care-of address field set to all-zeros, the FA assigns a GFA to the MN. A FA can either have a default GFA that it assigns to all MNs or it can assign a GFA by some means not described in this specification.

如果FA支持动态GFA分配,并在转交地址字段设置为全零的情况下收到注册请求,则FA将GFA分配给MN。FA可以具有分配给所有MN的默认GFA,也可以通过本规范中未描述的某些方式分配GFA。

If an FA that does not support dynamic GFA assignment receives a Registration Request with the care-of address field set to all-zeros, the FA will deny the request as described in [RFC3344], i.e., by

如果不支持动态GFA分配的FA在转交地址字段设置为全零的情况下收到注册请求,FA将拒绝[RFC3344]中所述的请求,即

sending a Registration Reply with the Code field set to "invalid care-of address".

发送代码字段设置为“无效转交地址”的注册回复。

7.3. GFA Considerations for Dynamic GFA Assignment
7.3. 动态GFA分配的GFA注意事项

If a GFA supports dynamic GFA assignment, and receives a Registration Request with the care-of address field set to all-zeros, the GFA assigns its own IP address as care-of address for this MN, and adds a GFA IP Address extension with this address to the Registration Request. The GFA MUST NOT insert the GFA IP address directly in the care-of address field in the Registration Request, since that would cause the MN-HA authentication to fail.

如果GFA支持动态GFA分配,并在转交地址字段设置为全零的情况下接收到注册请求,GFA将分配其自己的IP地址作为此MN的转交地址,并将具有此地址的GFA IP地址扩展添加到注册请求中。GFA不得在注册请求的转交地址字段中直接插入GFA IP地址,因为这将导致MN-HA身份验证失败。

The GFA IP Address extension has to be protected so that it cannot be changed by a malicious node when the Registration Request is forwarded to the HA. If the HA and the GFA have a mobility security association, the GFA IP Address extension MUST be protected by the FA-HA authentication extension. Otherwise, the Registration Request MUST be sent to the HA in a secure way, for example via a secure AAA protocol (e.g., [RFC4004], [RFC3957]).

GFA IP地址扩展必须受到保护,以便在将注册请求转发给HA时,恶意节点无法更改该扩展。如果HA和GFA具有移动安全关联,则GFA IP地址扩展必须受到FA-HA身份验证扩展的保护。否则,注册请求必须以安全的方式发送给HA,例如通过安全AAA协议(例如,[RFC4004]、[RFC3957])。

If the GFA does not support dynamic GFA assignment, it will deny the request by sending a Registration Reply with the Code field set to ZERO_COA_NOT_SUPP (see Section 9.5).

如果GFA不支持动态GFA分配,它将通过发送代码字段设置为零的注册回复来拒绝请求(见第9.5节)。

7.4. Home Agent Considerations for Dynamic GFA Assignment
7.4. 动态GFA分配的Home Agent注意事项

If a HA receives a Registration Request with a GFA IP Address extension, and the HA does not allow the use of this extension, the HA MUST return a Registration Reply with the Code value set to DYN_GFA_NOT_SUPP (see Section 9.5).

如果医管局收到带有GFA IP地址扩展的注册请求,并且医管局不允许使用该扩展,医管局必须返回一个注册回复,代码值设置为DYN_GFA_not_SUPP(见第9.5节)。

If a HA receives a Registration Request message with the care-of address set to all-zeros, but no GFA IP Address extension, it MUST deny the request by sending a Registration Reply message with the Code field set to ZERO_CAREOF_ADDRESS (see Section 9.5).

如果HA收到的注册请求消息的转交地址设置为全零,但没有GFA IP地址扩展,则必须通过发送代码字段设置为零的注册回复消息来拒绝该请求(参见第9.5节)。

If a HA that does not support dynamic GFA assignment receives a Registration Request with a GFA IP Address extension, the request will be denied by the HA, as described in [RFC3344].

如果不支持动态GFA分配的HA收到具有GFA IP地址扩展的注册请求,则该请求将被HA拒绝,如[RFC3344]中所述。

If a HA that supports dynamic GFA assignment receives a Registration Request with the care-of address set to all-zeros and a GFA IP Address extension, it MUST register the IP address of the GFA as the care-of address of the MN in its mobility binding list. If the Registration Request is accepted, the HA MUST include the GFA IP Address extension in the Registration Reply, before the MN-HA Authentication extension.

如果支持动态GFA分配的HA接收到一个注册请求,并且转交地址设置为全零和GFA IP地址扩展,则必须在其移动性绑定列表中将GFA的IP地址注册为MN的转交地址。如果注册请求被接受,在MN-HA认证扩展之前,HA必须在注册回复中包含GFA IP地址扩展。

7.5. Regional Registration
7.5. 区域登记

If the MN receives an Agent Advertisement with the care-of address field indicating the GFA set to all-ones, and if the MN determines that it is within the same visited domain as when it did its last home registration, it MAY send a Regional Registration Request to its current GFA. Otherwise, it MUST send a Registration Request to its HA as described in Section 7.1.

如果MN接收到代理广告,其中转交地址字段指示GFA设置为“所有”,并且如果MN确定其与上次家庭注册时在同一访问域内,则其可以向其当前GFA发送区域注册请求。否则,必须按照第7.1节所述向其HA发送注册请求。

8. Router Discovery Extensions
8. 路由器发现扩展

This section specifies a new flag within the Mobile IP Agent Advertisement, and an optional extension to the ICMP Router Discovery Protocol [RFC1256].

本节指定移动IP代理播发中的新标志,以及ICMP路由器发现协议[RFC1256]的可选扩展。

8.1. Regional Registration Flag
8.1. 地区注册旗

The only change to the Mobility Agent Advertisement Extension defined in [RFC3344] is a flag indicating that the domain, to which the FA generating the Agent Advertisement belongs, supports regional registrations. The flag is inserted after the flags defined in [RFC3344], [RFC3024], and [RFC3519].

[RFC3344]中定义的移动代理广告扩展的唯一更改是一个标志,指示生成代理广告的FA所属的域支持区域注册。在[RFC3344]、[RFC3024]和[RFC3519]中定义的标志之后插入该标志。

Regional Registration flag:

地区注册旗:

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |     Type      |    Length     |        Sequence Number        |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |           Lifetime            |R|B|H|F|M|G|r|T|U|I| reserved  |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                  zero or more Care-of Addresses               |
       |                              ...                              |
        
        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |     Type      |    Length     |        Sequence Number        |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |           Lifetime            |R|B|H|F|M|G|r|T|U|I| reserved  |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                  zero or more Care-of Addresses               |
       |                              ...                              |
        

The flag is defined as follows:

该标志的定义如下:

Type 16 (Mobility Agent Advertisement)

第16类(移动代理广告)

I Regional Registration. This domain supports regional registration as specified in this document.

我是区域注册的。此域支持本文档中指定的区域注册。

8.2. Foreign Agent NAI Extension
8.2. 外务代理NAI扩展

The FA-NAI extension is defined as subtype 3 of the NAI Carrying Extension [RFC3846].

FA-NAI延伸被定义为NAI携带延伸的亚型3[RFC3846]。

The FA SHOULD include its NAI in the Agent Advertisement message. If present, the Foreign Agent NAI (FA-NAI) extension MUST appear in the Agent Advertisement message after any of the advertisement extensions defined in [RFC3344].

足总应在代理商广告信息中包含其NAI。如果存在,则外国代理NAI(FA-NAI)扩展必须出现在[RFC3344]中定义的任何广告扩展之后的代理广告消息中。

By comparing the domain part of the FA-NAI with the domain part of the FA-NAI it received in the previous Agent Advertisement, the MN can determine whether it has moved to a new domain since it last registered.

通过将FA-NAI的域部分与其在先前代理广告中接收到的FA-NAI的域部分进行比较,MN可以确定自其上次注册以来是否已移动到新域。

9. Regional Extensions to Mobile IPv4 Registration Messages
9. 移动IPv4注册消息的区域扩展

In this section, we specify new Mobile IP registration extensions for the purpose of managing regional registrations.

在本节中,我们指定了新的移动IP注册扩展,用于管理区域注册。

9.1. GFA IP Address Extension
9.1. GFA IP地址扩展

The GFA IP Address extension is defined for the purpose of supporting dynamic GFA assignment. If the MN requests a dynamically assigned GFA, the GFA adds a GFA IP Address extension to the Registration Request before relaying it to the HA. The MN indicates that it wants a GFA to be assigned by sending a Registration Request with the care-of address field set to all-zeros. The GFA IP Address extension MUST appear in the Registration Request before the FA-HA Authentication extension, if present.

定义GFA IP地址扩展是为了支持动态GFA分配。如果MN请求动态分配的GFA,则GFA在将其中继到HA之前将GFA IP地址扩展添加到注册请求。MN表示它希望通过发送注册请求来分配GFA,并将转交地址字段设置为全零。GFA IP地址扩展必须在FA-HA身份验证扩展(如果存在)之前出现在注册请求中。

If a HA receives a Registration Request message with the care-of address set to all-zeros, and a GFA IP Address extension, it MUST register the IP address of the GFA as the care-of address of the MN. When generating a Registration Reply message, the HA MUST include the GFA IP Address extension from the Registration Request in the Registration Reply message. The GFA IP Address extension MUST appear in the Registration Reply message before the MN-HA Authentication extension.

如果HA接收到注册请求消息,且转交地址设置为全零,且GFA IP地址扩展名为,则必须将GFA的IP地址注册为MN的转交地址。在生成注册回复消息时,HA必须在注册回复消息中包含来自注册请求的GFA IP地址扩展。GFA IP地址扩展必须出现在MN-HA身份验证扩展之前的注册回复消息中。

The GFA IP Address Extension is defined as follows:

GFA IP地址扩展定义如下:

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |     Type      |     Length    |           reserved            |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                         GFA IP Address                        |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        
        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |     Type      |     Length    |           reserved            |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                         GFA IP Address                        |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        

Type 46 (GFA IP Address) (non-skippable)

类型46(GFA IP地址)(不可跳过)

Length 6

长度6

GFA IP Address The GFA IP Address field contains the Gateway Foreign Agent's (GFA) publicly routable address.

GFA IP地址GFA IP地址字段包含网关外部代理(GFA)的公共路由地址。

9.2. Hierarchical Foreign Agent Extension
9.2. 分级外部代理扩展

The Hierarchical Foreign Agent (HFA) extension may be present in a Registration Request or Regional Registration Request. When an FA adds this extension to a Registration Request, the receiving mobility agent (GFA) sets up a pending registration record for the MN, using the IP address in the HFA extension as the care-of address for the MN. Furthermore, in this case, the extension MUST be appended at the end of all previous extensions that had been included in the registration message as received by the FA. The HFA extension MUST be protected by an FA-FA Authentication extension. When the receiving mobility agent (GFA) receives the registration message, it MUST remove the HFA extension added by the sending FA.

分级外国代理(HFA)扩展可能出现在注册请求或区域注册请求中。当FA将该扩展添加到注册请求中时,接收移动代理(GFA)使用HFA扩展中的IP地址作为MN的转交地址,为MN建立挂起的注册记录。此外,在这种情况下,必须在FA接收到的注册消息中包含的所有先前扩展的末尾追加扩展。HFA扩展必须受到FA-FA身份验证扩展的保护。当接收移动代理(GFA)接收到注册消息时,它必须删除由发送FA添加的HFA扩展。

If a MN with a co-located care-of address adds the HFA extension to a Registration Request, the receiving mobility agent (GFA) sets up a pending registration record for the MN, using the IP address in the HFA extension as the care-of address for the MN. The extension MUST be protected by an authentication extension. If the MN has established a mobility security association with the GFA, the HFA extension MUST be placed before the MN-FA Authentication extension, and it SHOULD be placed after the Mobile-Home (MN-HA) Authentication extension. Otherwise, if the MN has no established mobility security association with the GFA, the HFA extension MUST be placed before the MN-HA authentication extension. If the HFA extension is placed after all other extensions, the receiving mobility agent (GFA) MUST remove the HFA extension added by the MN. Otherwise, when the HA receives the registration message, it ignores the HFA extension.

如果具有同一位置转交地址的MN将HFA扩展添加到注册请求中,则接收移动代理(GFA)使用HFA扩展中的IP地址作为MN的转交地址,为MN建立挂起的注册记录。扩展必须受身份验证扩展的保护。如果MN已与GFA建立移动安全关联,则HFA扩展必须放在MN-FA认证扩展之前,并且应该放在移动家庭(MN-HA)认证扩展之后。否则,如果MN没有与GFA建立移动安全关联,则必须将HFA扩展置于MN-HA认证扩展之前。如果HFA扩展放置在所有其他扩展之后,则接收移动代理(GFA)必须移除MN添加的HFA扩展。否则,当HA收到注册消息时,它将忽略HFA扩展。

The Hierarchical Foreign Agent (HFA) Extension is defined as follows:

分级外部代理(HFA)扩展定义如下:

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |     Type      |     Length    |           reserved            |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                         FA IP Address                         |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        
        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |     Type      |     Length    |           reserved            |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                         FA IP Address                         |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        

Type 140 (Hierarchical Foreign Agent) (skippable)

类型140(分级外部代理)(可跳过)

Length 6

长度6

FA IP Address The IP Address of the FA relaying the Registration Request.

FA IP地址转发注册请求的FA的IP地址。

9.3. Replay Protection Style
9.3. 重放保护样式

When a MN uses Mobile IPv4 to register a care-of address with its HA, the style of replay protection used for the registration messages is assumed to be known by way of a mobility security association that is required to exist between the MN and the HA receiving the request. No such pre-existing security association between the MN and the GFA is likely to be available. By default, the MN SHOULD treat replay protection for Regional Registration messages exactly as specified in Mobile IPv4 [RFC3344] for timestamp-based replay protection.

当MN使用移动IPv4向其HA注册转交地址时,通过MN和接收请求的HA之间需要存在的移动安全关联,假定用于注册消息的重播保护的样式是已知的。MN和GFA之间不可能存在此类预先存在的安全关联。默认情况下,MN应完全按照移动IPv4[RFC3344]中针对基于时间戳的重播保护的规定来处理区域注册消息的重播保护。

If the MN requires nonce-based replay protection, also as specified in Mobile IPv4, it MAY append a Replay Protection Style extension to a Registration Request. Since Registration Requests are forwarded to the HA by way of the GFA, the GFA will be able to establish the selected replay protection (see Section 5.3).

如果MN需要基于nonce的重播保护(也如移动IPv4中所指定的),则它可以向注册请求附加重播保护样式的扩展。由于注册请求通过GFA转发给医管局,GFA将能够建立选定的重播保护(见第5.3节)。

The GFA also uses this extension by adding a Replay Protection Style extension to a Registration Reply to synchronize the replay protection for Regional Registrations (see Section 5.3).

GFA还通过在注册回复中添加重播保护样式扩展来使用此扩展,以同步区域注册的重播保护(参见第5.3节)。

The format of the Replay Protection Style extension is:

重播保护样式扩展的格式为:

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |     Type      |     Length    |    Replay Protection Style    |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                                                               |
       +                   Initial Identification                      +
       |                                                               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        
        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |     Type      |     Length    |    Replay Protection Style    |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                                                               |
       +                   Initial Identification                      +
       |                                                               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        

Type 141 (Replay Protection Style) (skippable)

141型(重播保护样式)(可跳过)

Length 2

长度2

Replay Protection Style An integer specifying the style of replay protection desired by the MN.

Replay Protection Style指定MN所需的Replay保护样式的整数。

Initial Identification The timestamp or nonce to be used for initial synchronization for the replay mechanism.

初始标识用于重播机制初始同步的时间戳或nonce。

Admissible values for the Replay Protection Style are as follows:

重播保护样式的允许值如下所示:

                    +-------+-------------------------+
                    | Value | Replay Protection Style |
                    +-------+-------------------------+
                    | 0     | timestamp [RFC3344]     |
                    | 1     | nonce [RFC3344]         |
                    +-------+-------------------------+
        
                    +-------+-------------------------+
                    | Value | Replay Protection Style |
                    +-------+-------------------------+
                    | 0     | timestamp [RFC3344]     |
                    | 1     | nonce [RFC3344]         |
                    +-------+-------------------------+
        

The Replay Protection Style extension MUST be protected by an authentication extension. If the MN has an established mobility security association with the GFA, the Replay Protection Style extension MUST be placed before the MN-FA Authentication extension in the Registration Request, and SHOULD be placed after the MN-HA Authentication extension. Otherwise, the Replay Protection Style extension MUST be placed before the MN-HA Authentication extension in the Registration Request.

重播保护样式扩展必须受身份验证扩展的保护。如果MN与GFA建立了移动安全关联,则在注册请求中,重播保护类型的扩展必须放在MN-FA认证扩展之前,并且应该放在MN-HA认证扩展之后。否则,在注册请求中,重播保护样式扩展必须放在MN-HA身份验证扩展之前。

If the GFA adds a Replay Protection Style extension to a Registration Reply, it SHOULD be placed before the MN-FA Authentication extension. The MN-FA Authentication extension should be based on security associations between the MN and GFA established during home registration.

如果GFA在注册回复中添加了重播保护样式的扩展,则应将其置于MN-FA身份验证扩展之前。MN-FA认证扩展应基于在家庭注册期间建立的MN和GFA之间的安全关联。

Replay protection MAY also be provided through a challenge-response mechanism, at the FA issuing the Agent Advertisement, as described in [RFC4721].

如[RFC4721]所述,重播保护也可通过发出代理播发的FA处的质询-响应机制提供。

9.4. Regional Registration Lifetime Extension
9.4. 地区注册有效期延长

The Regional Registration Lifetime extension allows the GFA to set a lifetime for the regional registration with an MN during its home registration. When receiving a Registration Reply from the HA, the GFA MAY add this extension to the Registration Reply before relaying it to the FA. The GFA MUST set the Regional Registration Lifetime to be no greater than the remaining lifetime of the MN's home registration.

区域注册生存期延长允许GFA在其家庭注册期间为MN的区域注册设置生存期。当收到医管局的注册回复时,政府飞行管理局可在向足总转发注册回复之前,将此扩展添加到注册回复中。GFA必须将区域注册有效期设置为不大于MN家庭注册的剩余有效期。

The Regional Registration Lifetime Extension is defined as follows:

区域注册有效期延长的定义如下:

       0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |     Type      |     Length    |           reserved            |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                Regional Registration Lifetime                 |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        
       0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |     Type      |     Length    |           reserved            |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                Regional Registration Lifetime                 |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        

Type 142 (Regional Registration Lifetime) (skippable)

类型142(区域注册有效期)(可跳过)

Length 6

长度6

Regional Registration Lifetime If the Code field indicates that the registration was accepted, the Regional Registration Lifetime field is set to the number of seconds remaining before the regional registration is considered expired. A value of zero indicates that the MN has been deregistered with the GFA. A value of 0xffff indicates infinity. If the Code field indicates that the home registration was denied, the contents of the Regional Registration Lifetime field are unspecified and MUST be ignored on reception.

区域注册生存期如果代码字段指示注册已被接受,则区域注册生存期字段将设置为区域注册过期前剩余的秒数。值为零表示MN已在GFA中注销。0xffff值表示无穷大。如果代码字段指示家庭注册被拒绝,则区域注册有效期字段的内容未指定,在接收时必须忽略。

If the GFA adds a Regional Registration Lifetime extension to a Registration Reply, it MUST be placed before the MN-FA Authentication extension. The MN-FA Authentication extension should be based on security associations between the MN and GFA established during home registration.

如果GFA在注册回复中添加区域注册生存期延长,则必须将其置于MN-FA认证延长之前。MN-FA认证扩展应基于在家庭注册期间建立的MN和GFA之间的安全关联。

9.5. New Code Values for Registration Reply
9.5. 注册回复的新代码值

The values to use within the Code field of the Registration Reply are defined in [RFC3344]. In addition, the following values are defined:

[RFC3344]中定义了注册回复代码字段中使用的值。此外,还定义了以下值:

Registration denied by the GFA:

政府飞行管理局拒绝登记:

           +---------------------+-------+---------------------+
           | Error Name          | Value | Section of Document |
           +---------------------+-------+---------------------+
           | REPLAY_PROT_UNAVAIL | 110   | Section 5.3         |
           | ZERO_COA_NOT_SUPP   | 111   | Section 7.3         |
           +---------------------+-------+---------------------+
        
           +---------------------+-------+---------------------+
           | Error Name          | Value | Section of Document |
           +---------------------+-------+---------------------+
           | REPLAY_PROT_UNAVAIL | 110   | Section 5.3         |
           | ZERO_COA_NOT_SUPP   | 111   | Section 7.3         |
           +---------------------+-------+---------------------+
        

Registration denied by the HA (for dynamic GFA assignment):

房委会拒绝登记(动态总楼面面积转让):

           +---------------------+-------+---------------------+
           | Error Name          | Value | Section of Document |
           +---------------------+-------+---------------------+
           | ZERO_CAREOF_ADDRESS | 145   | Section 7.4         |
           | DYN_GFA_NOT_SUPP    | 146   | Section 7.4         |
           +---------------------+-------+---------------------+
        
           +---------------------+-------+---------------------+
           | Error Name          | Value | Section of Document |
           +---------------------+-------+---------------------+
           | ZERO_CAREOF_ADDRESS | 145   | Section 7.4         |
           | DYN_GFA_NOT_SUPP    | 146   | Section 7.4         |
           +---------------------+-------+---------------------+
        
10. Regional Registration Message Formats
10. 区域登记信息格式

This section specifies two new registration message types: Regional Registration Request and Regional Registration Reply. These messages are used by the MN instead of the existing Mobile IPv4 Registration Request and Registration Reply, as described in Section 6.

本节指定两种新的注册消息类型:区域注册请求和区域注册回复。MN使用这些消息,而不是现有的移动IPv4注册请求和注册回复,如第6节所述。

Regional registration messages are protected by required authentication extensions, in the same way as the existing Mobile IPv4 registration messages are protected. The following rules apply to authentication extensions:

区域注册消息受所需身份验证扩展的保护,与现有移动IPv4注册消息受保护的方式相同。以下规则适用于身份验证扩展:

o The MN-GFA Authentication extension [RFC3344] MUST be included in all regional registration messages. o The MN-FA Authentication extension [RFC3344] MAY be included in regional registration messages. o The FA-HA Authentication extension [RFC3344] MUST NOT be included in any regional registration message.

o MN-GFA认证扩展[RFC3344]必须包含在所有区域注册消息中。o MN-FA认证扩展[RFC3344]可包括在区域注册消息中。o FA-HA认证扩展[RFC3344]不得包含在任何区域注册消息中。

10.1. Regional Registration Request
10.1. 地区注册申请

The Regional Registration Request is used by a MN to register with its current GFA.

MN使用区域注册请求向其当前GFA注册。

Regional Registration Request:

区域注册请求:

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |     Type      |S|B|D|M|G|r|T|x|          Lifetime             |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                          Home Address                         |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                         GFA IP Address                        |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                        Care-of Address                        |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                                                               |
       +                         Identification                        +
       |                                                               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       | Extensions ...
       +-+-+-+-+-+-+-+-
        
        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |     Type      |S|B|D|M|G|r|T|x|          Lifetime             |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                          Home Address                         |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                         GFA IP Address                        |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                        Care-of Address                        |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                                                               |
       +                         Identification                        +
       |                                                               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       | Extensions ...
       +-+-+-+-+-+-+-+-
        

The Regional Registration Request is defined as the Registration Request in [RFC3344], but with the following changes:

区域注册请求在[RFC3344]中定义为注册请求,但有以下更改:

Type 18 (Regional Registration Request)

第18类(区域注册申请)

Lifetime The number of seconds remaining before the Regional Registration is considered expired. A value of zero indicates a request for deregistration with the GFA. A value of 0xffff indicates infinity.

生存期区域注册被视为过期之前剩余的秒数。值为零表示请求撤销GFA的注册。0xffff值表示无穷大。

GFA IP Address The IP address of the Gateway Foreign Agent (GFA). (Replaces Home Agent field in Registration Request message in [RFC3344].)

GFA IP地址网关外部代理(GFA)的IP地址。(替换[RFC3344]中注册请求消息中的归属代理字段。)

Care-of Address Care-of address of local FA; MAY be set to all-ones.

转交地址当地FA的转交地址;可以设置为“所有”。

Identification A 64-bit number, constructed by the MN, used for matching Regional Registration Requests with Regional Registration Replies, and for protecting against replay attacks of regional registration messages.

标识由MN构造的64位数字,用于将区域注册请求与区域注册回复进行匹配,并用于防止区域注册消息的重播攻击。

Extensions For the Regional Registration Request, the Hierarchical Foreign Agent (HFA) Extension is an allowable extension (in addition to those which are allowable for the Registration Request).

对于区域注册请求的扩展,分级外国代理(HFA)扩展是允许的扩展(除了注册请求允许的扩展之外)。

10.2. Regional Registration Reply
10.2. 地区注册回复

The Regional Registration Reply delivers the indication of regional registration acceptance or denial to a MN.

区域注册回复向MN发送区域注册接受或拒绝的指示。

In the Regional Registration Reply, the UDP header is followed by the Mobile IP fields shown below:

在区域注册回复中,UDP报头后面跟着移动IP字段,如下所示:

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |     Type      |     Code      |           Lifetime            |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                          Home Address                         |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                        GFA IP Address                         |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                                                               |
       +                         Identification                        +
       |                                                               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       | Extensions ...
       +-+-+-+-+-+-+-+-
        
        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |     Type      |     Code      |           Lifetime            |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                          Home Address                         |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                        GFA IP Address                         |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                                                               |
       +                         Identification                        +
       |                                                               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       | Extensions ...
       +-+-+-+-+-+-+-+-
        

This message is defined as the Registration Reply message in [RFC3344], but with the following changes:

此消息在[RFC3344]中定义为注册回复消息,但有以下更改:

Type 19 (Regional Registration Reply)

第19类(地区注册回复)

Code A value indicating the result of the Regional Registration Request. See [RFC3344] for a list of currently defined Code values.

编码一个值,该值指示区域注册请求的结果。有关当前定义的代码值列表,请参见[RFC3344]。

Lifetime If the Code field indicates that the regional registration was accepted, the Lifetime field is set to the number of seconds remaining before the regional registration is considered expired. A value of zero indicates that the MN has been deregistered with the GFA. A value of 0xffff indicates infinity. If the Code field indicates that the regional registration was denied, the contents of the Lifetime field are unspecified and MUST be ignored on reception.

生存期如果代码字段指示区域注册已被接受,则生存期字段将设置为区域注册过期前剩余的秒数。值为零表示MN已在GFA中注销。0xffff值表示无穷大。如果代码字段指示区域注册被拒绝,则寿命字段的内容未指定,在接收时必须忽略。

GFA IP Address The IP address of the Gateway Foreign Agent (GFA) generating the Regional Registration Reply. (Replaces Home Agent field specified in Mobile IPv4 [RFC3344].)

GFA IP地址生成区域注册回复的网关外部代理(GFA)的IP地址。(替换移动IPv4[RFC3344]中指定的归属代理字段。)

Identification A 64-bit number used for matching Regional Registration Requests with Regional Registration Replies, and for protecting against replay attacks of regional registration messages. The value is based on the Identification field from the Regional Registration Request message from the MN, and on the style of replay protection used in the security context between the MN and its GFA (defined by the mobility security association between them).

标识一个64位数字,用于将区域注册请求与区域注册回复进行匹配,并防止区域注册消息的重播攻击。该值基于来自MN的区域注册请求消息的标识字段,以及MN与其GFA(由它们之间的移动性安全关联定义)之间的安全上下文中使用的重播保护类型。

10.3. New Regional Registration Reply Code Values
10.3. 新的区域注册回复代码值

For a Regional Registration Reply, the following additional Code values are defined in addition to those specified in Mobile IPv4 [RFC3344].

对于区域注册回复,除了移动IPv4[RFC3344]中指定的代码值外,还定义了以下附加代码值。

Registration denied by the FA:

足总拒绝注册:

          +----------------------+-------+---------------------+
          | Error Name           | Value | Section of Document |
          +----------------------+-------+---------------------+
          | UNKNOWN_GFA          | 112   | Section 6.2         |
          | GFA_UNREACHABLE      | 113   |                     |
          | GFA_HOST_UNREACHABLE | 114   |                     |
          | GFA_PORT_UNREACHABLE | 115   |                     |
          +----------------------+-------+---------------------+
        
          +----------------------+-------+---------------------+
          | Error Name           | Value | Section of Document |
          +----------------------+-------+---------------------+
          | UNKNOWN_GFA          | 112   | Section 6.2         |
          | GFA_UNREACHABLE      | 113   |                     |
          | GFA_HOST_UNREACHABLE | 114   |                     |
          | GFA_PORT_UNREACHABLE | 115   |                     |
          +----------------------+-------+---------------------+
        

Registration denied by the GFA:

政府飞行管理局拒绝登记:

               +-------------+-------+---------------------+
               | Error Name  | Value | Section of Document |
               +-------------+-------+---------------------+
               | NO_HOME_REG | 193   | Section 6.3         |
               +-------------+-------+---------------------+
        
               +-------------+-------+---------------------+
               | Error Name  | Value | Section of Document |
               +-------------+-------+---------------------+
               | NO_HOME_REG | 193   | Section 6.3         |
               +-------------+-------+---------------------+
        

The four first Code values are returned to the MN in response to ICMP errors that may be received by the FA.

四个第一个代码值返回给MN,以响应FA可能接收到的ICMP错误。

11. Authentication Extensions
11. 身份验证扩展

In this section, two new subtypes for the Generalized Authentication Extension [RFC4721] are specified. First, the FA-FA Authentication extension is used by FAs to secure the HFA extension to the Registration Request and Regional Registration Request messages. A new authentication extension is necessary because the HFA extension is typically added after the MN-HA Authentication extension or, e.g., the MN-AAA Authentication extension [RFC4721].

在本节中,为通用身份验证扩展[RFC4721]指定了两个新的子类型。首先,FAs使用FA-FA身份验证扩展来保护注册请求和区域注册请求消息的HFA扩展。新的认证扩展是必要的,因为HFA扩展通常添加在MN-HA认证扩展或(例如)MN-AAA认证扩展[RFC4721]之后。

The MN-GFA Authentication extension is used whenever the MN has a co-located address. The MN-GFA Authentication extension is also used to provide authentication for a Regional Registration Request.

只要MN有一个共同定位的地址,就会使用MN-GFA身份验证扩展。MN-GFA身份验证扩展还用于为区域注册请求提供身份验证。

The subtype values for these new subtypes are as follows:

这些新子类型的子类型值如下所示:

                     +-----------------------+-------+
                     | Subtype Name          | Value |
                     +-----------------------+-------+
                     | FA-FA authentication  |  2    |
                     | MN-GFA authentication |  3    |
                     +-----------------------+-------+
        
                     +-----------------------+-------+
                     | Subtype Name          | Value |
                     +-----------------------+-------+
                     | FA-FA authentication  |  2    |
                     | MN-GFA authentication |  3    |
                     +-----------------------+-------+
        

The default algorithm for computation of the authenticator is the same as for the MN-AAA Authentication subtype defined in [RFC4721].

验证器的默认计算算法与[RFC4721]中定义的MN-AAA认证子类型相同。

12. Security Considerations
12. 安全考虑

This document proposes a method for a MN to register locally in a visited domain. The authentication extensions to be used are those defined in [RFC3344] and [RFC4721]. Key distribution, assumed to take place during home registration, is to be performed, for instance, according to [RFC4004] or [RFC3957]. Alternatively, the keys can be pre-configured.

本文提出了一种MN在访问域中本地注册的方法。要使用的身份验证扩展是[RFC3344]和[RFC4721]中定义的扩展。例如,根据[RFC4004]或[RFC3957],将执行假定在家庭注册期间发生的密钥分发。或者,可以预先配置钥匙。

If the Hierarchical Foreign Agent (HFA) extension is appended to a Registration Request, this extension is to be followed by an FA-FA Authentication extension (see Section 11) to prevent any modification to the data. Security associations between FAs and GFAs within a domain are assumed to exist prior to regional registrations.

如果注册请求中附加了分级外部代理(HFA)扩展,则该扩展之后将是FA-FA认证扩展(参见第11节),以防止对数据进行任何修改。在区域注册之前,假定域内的FAs和GFA之间存在安全关联。

If the GFA IP Address extension is added to a registration message, it is to be followed by a authentication extension. In case of the GFA IP Address extension being added to a Registration Request, it should be protected by an FA-HA Authentication extension. If no

如果将GFA IP地址扩展添加到注册消息中,则在该扩展之后将添加身份验证扩展。在注册请求中添加GFA IP地址扩展的情况下,它应该受到FA-HA身份验证扩展的保护。如果没有

security association exists between the GFA and the HA, the Registration Request needs to be protected by other means not defined in this document. When a GFA IP Address extension is added to a Registration Reply, it is protected by the Mobile-Home Authentication extension as defined in [RFC3344].

GFA和HA之间存在安全关联,需要通过本文件未定义的其他方式保护注册请求。当GFA IP地址扩展添加到注册回复中时,它将受到[RFC3344]中定义的移动家庭身份验证扩展的保护。

Replay protection for regional registrations is defined similarly to [RFC3344], with the addition of a Replay Protection Style extension. If this extension is added to a Registration Reply by a GFA, it needs to be protected by a MN-FA Authentication extension.

区域注册的重播保护的定义与[RFC3344]类似,添加了重播保护样式扩展。如果GFA将此扩展添加到注册回复中,则需要使用MN-FA身份验证扩展对其进行保护。

A co-operating malicious MN-HA pair can trick the GFA into setting up state for an incorrect MN home address. This would result in redirection of data of the node that actually owns that IP address to the malicious MN. Given that the forwarding happens based on the home address at the GFA, such an attack is scoped to the prefix of the HA, not that of the GFA. This type of attack, or its consequences, is not considered in this document.

合作的恶意MN-HA对可以欺骗GFA为不正确的MN家庭地址设置状态。这将导致实际拥有该IP地址的节点的数据重定向到恶意MN。鉴于转发是基于GFA的家庭地址进行的,此类攻击的范围是HA的前缀,而不是GFA的前缀。本文件不考虑此类攻击或其后果。

13. IANA Considerations
13. IANA考虑

This document defines:

本文件规定:

o A subtype for the NAI Carrying Extension [RFC3846] is specified in Section 8.2, which needs to have a value assigned from the space of NAI Carrying Extension subtypes.

o 第8.2节规定了NAI承载扩展[RFC3846]的子类型,需要从NAI承载扩展子类型的空间中指定一个值。

o Four new extensions to Mobile IP Registration messages: GFA IP Address, Hierarchical Foreign Agent, Replay Protection Style, and Regional Registration Lifetime (see Sections 9.1, 9.2, 9.3, and 9.4). The Type values for the GFA IP Address extension must be within the range 0 through 127, while the other three must be within the range 128 through 255.

o 移动IP注册消息的四个新扩展:GFA IP地址、分级外部代理、重播保护样式和区域注册生存期(参见第9.1、9.2、9.3和9.4节)。GFA IP地址扩展的类型值必须在0到127范围内,而其他三个类型值必须在128到255范围内。

o New Code values for Registration Reply messages (see Section 9.5).

o 注册回复消息的新代码值(见第9.5节)。

o Two new subtypes for the Generalized Authentication Extension [RFC4721]; see Section 11.

o 通用身份验证扩展[RFC4721]的两个新子类型;见第11节。

o Two new message types for Mobile IP: Regional Registration Request and Regional Registration Reply (see Sections 10.1 and 10.2).

o 移动IP的两种新消息类型:区域注册请求和区域注册回复(参见第10.1节和第10.2节)。

o Code values for Regional Registration Reply messages (see Section 10.3).

o 区域注册回复消息的代码值(见第10.3节)。

14. Acknowledgements
14. 致谢

This document is a logical successor to documents written with Pat Calhoun and Gabriel Montenegro; thanks to them and their many efforts to help explore this problem space. Many thanks also to Jari Malinen for his commentary on a rough version of this document.

本文件是与帕特·卡尔霍恩和加布里埃尔·黑山共同撰写的文件的逻辑继承;感谢他们和他们的许多努力来帮助探索这个问题空间。非常感谢Jari Malinen对本文件粗略版本的评论。

15. References
15. 工具书类
15.1. Normative References
15.1. 规范性引用文件

[RFC1256] Deering, S., "ICMP Router Discovery Messages", RFC 1256, September 1991.

[RFC1256]Deering,S.,“ICMP路由器发现消息”,RFC 12561991年9月。

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[RFC4282] Aboba, B., Beadles, M., Arkko, J., and P. Eronen, "The Network Access Identifier", RFC 4282, December 2005.

[RFC4282]Aboba,B.,Beadles,M.,Arkko,J.,和P.Erenen,“网络访问标识符”,RFC 42822005年12月。

[RFC2794] Calhoun, P. and C. Perkins, "Mobile IP Network Access Identifier Extension for IPv4", RFC 2794, March 2000.

[RFC2794]Calhoun,P.和C.Perkins,“IPv4移动IP网络访问标识符扩展”,RFC 27942000年3月。

[RFC3024] Montenegro, G., "Reverse Tunneling for Mobile IP, revised", RFC 3024, January 2001.

[RFC3024]黑山,G.“移动IP的反向隧道,修订版”,RFC 3024,2001年1月。

[RFC3344] Perkins, C., "IP Mobility Support for IPv4", RFC 3344, August 2002.

[RFC3344]Perkins,C.,“IPv4的IP移动支持”,RFC 3344,2002年8月。

[RFC3519] Levkowetz, H. and S. Vaarala, "Mobile IP Traversal of Network Address Translation (NAT) Devices", RFC 3519, May 2003.

[RFC3519]Levkowetz,H.和S.Vaarala,“网络地址转换(NAT)设备的移动IP遍历”,RFC 3519,2003年5月。

[RFC3846] Johansson, F. and T. Johansson, "Mobile IPv4 Extension for Carrying Network Access Identifiers", RFC 3846, June 2004.

[RFC3846]Johansson,F.和T.Johansson,“用于承载网络访问标识符的移动IPv4扩展”,RFC 38462004年6月。

[RFC4721] Perkins, C., Calhoun, P., and J. Bharatia, "Mobile IPv4 Challenge/Response Extensions (Revised)", RFC 4721, January 2007.

[RFC4721]Perkins,C.,Calhoun,P.,和J.Bharatia,“移动IPv4挑战/响应扩展(修订版)”,RFC 47212007年1月。

15.2. Informative References
15.2. 资料性引用

[RFC3957] Perkins, C. and P. Calhoun, "Authentication, Authorization, and Accounting (AAA) Registration Keys for Mobile IPv4", RFC 3957, March 2005.

[RFC3957]Perkins,C.和P.Calhoun,“移动IPv4的身份验证、授权和计费(AAA)注册密钥”,RFC 3957,2005年3月。

[RFC4004] Calhoun, P., Johansson, T., Perkins, C., Hiller, T., and P. McCann, "Diameter Mobile IPv4 Application", RFC 4004, August 2005.

[RFC4004]Calhoun,P.,Johansson,T.,Perkins,C.,Hiller,T.,和P.McCann,“Diameter移动IPv4应用”,RFC 40042005年8月。

Appendix A. Authentication, Authorization, and Accounting (AAA) Interactions

附录A.认证、授权和记帐(AAA)交互

When the mobile node has to obtain authorization by way of Authentication, Authorization, and Accounting (AAA) infrastructure services, the control flow implicit in the main body of this specification is likely to be modified. Typically, the mobile node will supply credentials for authorization by AAA as part of its registration messages. The GFA will parse the credentials supplied by the mobile and forward the appropriate authorization request to a local AAA server (see [RFC3012] and [RFC4004]).

当移动节点必须通过身份验证、授权和计费(AAA)基础设施服务获得授权时,可能会修改本规范主体中隐含的控制流。通常,移动节点将提供AAA授权凭据作为其注册消息的一部分。GFA将解析移动设备提供的凭据,并将适当的授权请求转发给本地AAA服务器(请参阅[RFC3012]和[RFC4004])。

Concretely, this means that:

具体而言,这意味着:

o The GFA MAY include the Mobile IP Registration Request data inside an authorization request, directed to a local AAA server.

o GFA可以在授权请求中包括移动IP注册请求数据,该授权请求被定向到本地AAA服务器。

o The GFA MAY receive the Mobile IP Registration Reply data from a message granting authorization, received from the AAA infrastructure.

o GFA可以从从AAA基础设施接收的授予授权的消息接收移动IP注册应答数据。

Appendix B. Anchoring at a GFA
附录B.在GFA处锚固

As described earlier in this draft, once a mobile node has registered the address of a GFA as its care-of address with its home agent, it MAY perform regional registrations when changing foreign agent under the same GFA. When detecting that is has changed foreign agent, and if the new foreign agent advertises the 'I' flag, the mobile node MAY address a Regional Registration Request message to its registered GFA, even if the address of that particular GFA is not advertised by the new foreign agent. The foreign agent MAY then relay the request to the GFA in question, or deny the request with error code UNKNOWN_GFA.

如本草案前面所述,一旦移动节点已将GFA的地址注册为其归属代理的转交地址,则其可在根据相同GFA更换外国代理时执行区域注册。当检测到已经改变了外部代理时,并且如果新的外部代理播发“I”标志,则移动节点可以将区域注册请求消息寻址到其注册的GFA,即使新的外部代理没有播发该特定GFA的地址。然后,外国代理可能会将请求转发给相关GFA,或拒绝错误代码未知的请求。

Authors' Addresses

作者地址

Eva Fogelstroem Ericsson Torshamnsgatan 23 SE-164 80 Stockholm Sweden

Eva Fogelstroem Ericsson Torshamnsgatan 23 SE-164 80瑞典斯德哥尔摩

   EMail: eva.fogelstrom@ericsson.com
        
   EMail: eva.fogelstrom@ericsson.com
        

Annika Jonsson Ericsson Tellusborgsvagen 83-87 S-126 37 Hagersten Sweden

Annika Jonsson Ericsson Tellusborgsvagen 83-87 S-126 37 Hagersten瑞典

   EMail: annika.jonsson@ericsson.com
        
   EMail: annika.jonsson@ericsson.com
        

Charles E. Perkins Nokia Siemens Networks 313 Fairchild Drive Mountain View, California 94043 USA

Charles E.Perkins诺基亚西门子网络313 Fairchild Drive Mountain View,加利福尼亚州94043

   EMail: charles.perkins@nsn.com
        
   EMail: charles.perkins@nsn.com
        

Full Copyright Statement

完整版权声明

Copyright (C) The IETF Trust (2007).

版权所有(C)IETF信托基金(2007年)。

This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.

本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。

This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件及其包含的信息以“原样”为基础提供,贡献者、他/她所代表或赞助的组织(如有)、互联网协会、IETF信托基金和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Intellectual Property

知识产权

The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.

IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。

Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.

向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.

The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.

IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.

Acknowledgement

确认

Funding for the RFC Editor function is currently provided by the Internet Society.

RFC编辑功能的资金目前由互联网协会提供。