Mobile IPv6 security

The binding update and binding acknowledgement messages exchanged between the mobile node and the home agent must be protected by IP Security using Encapsulating Security Payload (ESP) protection with a non-NULL payload authentication algorithm.

For more information about IP Security, see Security.

The binding establishment between the mobile node and the correspondent node is made secure by using the Return Routability procedure. In this procedure, the messages that are exchanged between the home agent node and the mobile nodes should also be protected by IP Security using ESP. Because the binding update and binding acknowledgement messages exchanged between a correspondent node and a mobile node are protected by the Return Routability procedure, there are no IP Security requirements for the correspondents. But, if a correspondent uses IP Security to restrict its access, the messages with protocol MH (135) must be permitted.

In previous implementations of Mobile IPv6 in AIX, support was provided for mobile nodes using Destination Option packets to send binding update messages. These messages could be protected with IP Security using an Authentication Header.

For a home agent or a correspondent node to accept such binding update messages using a Destination Option, edit the /etc/rc.mobip6 file and enable the Enable_Draft13_Mobile variable before starting Mobile IPv6. In this case, if you use IP Security to protect the binding update messages, you must define manual or IKE tunnels in transport mode on protocol 60, which will protect the Binding Update and Acknowledgement messages.

For a home agent or a correspondent node to accept binding update messages not protected by IP Security, edit the /etc/rc.mobip6 file and disable the Check_IPsec variable. This method is not recommended because it presents a significant security vulnerability through the ability to affect the routing of packets addressed to a mobile node.