Computer NetworksMobile IP

Mobile IP: Enabling Seamless Network Mobility

LevelAdvanced

Duration90 mins

TopicMobile IP

4 / 5

Care-of Address

The Mobile Node's Current Location

In Mobile IP, the mobile node maintains two addresses: its permanent Home Address that serves as its stable identity, and a temporary Care-of Address (CoA) that represents its current location in the network topology.

The Care-of Address is the destination for tunneled packets—it's where the Home Agent sends encapsulated traffic when the mobile node is away from home. Think of it as a forwarding address: when you travel, your mail is forwarded to your temporary address (the CoA), but your permanent address (home address) remains on your ID and official documents.

Understanding the Care-of Address is essential because it's the key mechanism that bridges the gap between identity and location. Without a topologically correct CoA, packets couldn't be routed to the mobile node's current position—the Internet's routing system wouldn't know how to reach a foreign address that doesn't match the mobile node's home network prefix.

What You Will Learn

By the end of this page, you will understand how Care-of Addresses are acquired, the distinction between Foreign Agent CoA and Co-located CoA, the binding lifecycle that associates home addresses with current locations, and the mechanisms that handle address conflicts, handoffs, and binding updates during mobility.

Care-of Address: Fundamental Concepts

The Care-of Address (CoA) is a temporary IP address that indicates the mobile node's current point of attachment to the Internet. It is topologically correct for the visited network, meaning packets addressed to the CoA can be routed using standard Internet routing mechanisms.

Formal Definition (RFC 5944):

A Care-of Address is the termination point of a tunnel toward a mobile node, for datagrams forwarded to the mobile node while it is away from home. The protocol can use two different types of care-of address: a "foreign agent care-of address" is an address of a foreign agent with which the mobile node is registered, and a "co-located care-of address" is an externally obtained local address which the mobile node has associated with one of its own network interfaces.

The Two Address Identity:

A mobile node, when away from home, effectively has a dual identity:

Mobile Node's Dual Address Identity
Address Type	Purpose	Stability	Visibility
Home Address	Identity - Who the MN is	Permanent (doesn't change)	Visible to correspondents, used in TCP connections
Care-of Address	Location - Where the MN is now	Temporary (changes with movement)	Used for tunneling, hidden from correspondents

Converting Mermaid diagram...

Why Must CoA Be Topologically Correct?

The Internet's routing system forwards packets based on destination address prefixes. A packet addressed to 172.16.5.23 is routed toward the network 172.16.5.0/24. If the CoA weren't an address on the visited network, routers wouldn't know how to deliver the tunneled packet to the mobile node.

This is why a mobile node can't simply use its home address as the tunnel endpoint—the home address is topologically correct only for the home network, not the visited network. Standard routing would send packets to the home network, not to where the MN currently resides.

IPv6 and Address Abundance

In IPv6, every interface typically has multiple addresses (link-local, global, temporary). Mobile IPv6 (MIPv6) leverages this address abundance differently, but the fundamental concept of separating identity from location remains central to the protocol design.

Care-of Address Types: FA-CoA vs. CCoA

Mobile IPv4 defines two types of Care-of Address, each with distinct characteristics, acquisition methods, and implications for the mobile node and network infrastructure.

Type 1: Foreign Agent Care-of Address (FA-CoA)

With FA-CoA, the mobile node uses the Foreign Agent's IP address as its Care-of Address:

Mobile Node Registration:
  Home Address: 10.0.1.50 (MN's permanent identity)
  Care-of Address: 172.16.5.1 (FA's address, shared with other MNs)
  Home Agent: 10.0.1.1

Binding at Home Agent:
  10.0.1.50 → 172.16.5.1

Characteristics:

Multiple mobile nodes share the same CoA
FA differentiates packets by inner destination address
MN doesn't need a unique routable address
Requires FA deployment on visited network

Converting Mermaid diagram...

Type 2: Co-located Care-of Address (CCoA)

With CCoA, the mobile node acquires its own unique IP address on the visited network:

Mobile Node Configuration:
  Interface: wlan0
  Home Address: 10.0.1.50 (configured statically or by Mobile IP)
  Care-of Address: 172.16.5.100 (obtained via DHCP on foreign network)

Mobile Node Registration:
  Home Address: 10.0.1.50
  Care-of Address: 172.16.5.100 (MN's own address)
  Home Agent: 10.0.1.1

Binding at Home Agent:
  10.0.1.50 → 172.16.5.100

Characteristics:

Each MN has unique CoA
MN receives and decapsulates tunneled packets directly
Works on any network with DHCP (no FA required)
Consumes one IPv4 address per mobile node

Detailed FA-CoA vs. CCoA Comparison
Aspect	FA Care-of Address	Co-located Care-of Address
Address Acquisition	From FA Agent Advertisement	From DHCP, static config, or PPP
Decapsulation Point	Foreign Agent	Mobile Node itself
IPv4 Address Usage	Efficient (shared)	One per MN (pressure on IPv4)
Infrastructure Needed	FA on visited network	Standard DHCP only
MN Implementation	Simpler (no tunnel handling)	Complex (tunnel decapsulation)
Registration Flag	D-bit = 0 (FA decapsulates)	D-bit = 1 (MN decapsulates)
NAT Traversal	Possible (FA has external IP)	Complex (MN behind NAT)
Typical Use Case	Operator-managed networks	Public WiFi, BYOD scenarios

The D-bit Flag

In Registration Requests, the D-bit (Decapsulation by Mobile Node) indicates whether the MN can decapsulate tunneled packets itself. When D=1, the MN has a co-located CoA and handles its own tunnel termination. When D=0, the FA must be the tunnel endpoint.

Care-of Address Acquisition Methods

Depending on the CoA type, mobile nodes use different mechanisms to obtain their Care-of Address when arriving on a foreign network.

Method 1: Foreign Agent Advertisement (for FA-CoA)

When a Foreign Agent is present, the mobile node learns the CoA from Agent Advertisements:

Converting Mermaid diagram...

Method 2: DHCP Acquisition (for CCoA)

Without a Foreign Agent, the mobile node obtains an address through standard DHCP:

1. MN connects to foreign network (e.g., WiFi association)
2. MN broadcasts DHCP Discover
3. DHCP server responds with Offer: 172.16.5.100/24
4. MN sends Request, receives Ack
5. MN configures interface with 172.16.5.100
6. MN uses 172.16.5.100 as Co-located CoA
7. MN sends Registration Request to HA:
   - Home Address: 10.0.1.50
   - Care-of Address: 172.16.5.100
   - D-bit: 1 (MN will decapsulate)

Method 3: PPP/IPCP (for CCoA)

On dial-up or point-to-point connections, the address is negotiated via IPCP:

PPP Connection:
  LCP negotiation
  Authentication (PAP/CHAP)
  IPCP negotiation:
    - NAS assigns IP: 172.16.5.200
    - MN uses 172.16.5.200 as CCoA

Method 4: Static Configuration (for CCoA)

In some scenarios, mobile nodes have pre-configured addresses:

Enterprise laptops with reserved addresses
IoT devices with SIM cards and static IP
VPN configurations with assigned addresses

DHCP Lease Considerations

When using DHCP for CCoA, the mobile node must ensure the DHCP lease remains valid for the duration of the Mobile IP registration. If the DHCP lease expires before the binding lifetime, the CoA becomes invalid, and tunneled packets will be undeliverable.

Interface Configuration with Dual Addresses:

When using Co-located CoA, the mobile node's interface may need to be configured with both addresses:

Network Interface Configuration:
  Interface: wlan0
  Primary Address: 172.16.5.100/24 (CoA, for routing)
  Secondary Address: 10.0.1.50/32 (Home Address, for application binding)
  Default Gateway: 172.16.5.1

Routing Table:
  Destination        Gateway         Interface
  0.0.0.0/0         172.16.5.1      wlan0     # Default route
  10.0.1.0/24       tunnel0         -         # Home network via tunnel

This configuration allows:

Applications to continue using the home address for connections
Outgoing packets to use the CoA as source for tunnel encapsulation
Incoming tunneled packets to be received at the CoA

The Binding Lifecycle: From Creation to Expiration

A binding is the association between a mobile node's home address and its current Care-of Address, stored in the Home Agent's binding cache. Understanding the binding lifecycle is crucial for comprehending Mobile IP's behavior.

Binding States:

Converting Mermaid diagram...

Binding Creation:

1. MN arrives on foreign network
2. MN obtains Care-of Address (FA or DHCP)
3. MN sends Registration Request:
   - Home Address: 10.0.1.50
   - Care-of Address: 172.16.5.23
   - Requested Lifetime: 600 seconds
   - Authentication
4. HA validates request
5. HA creates binding entry:
   {
     home_address: 10.0.1.50,
     care_of_address: 172.16.5.23,
     lifetime: min(requested, max_allowed),  // e.g., 600s
     created_at: current_time,
     sequence_number: request.identification
   }
6. HA sends Registration Reply (code=0)
7. HA begins tunneling packets for 10.0.1.50

Binding Refresh (Re-registration):

Bindings expire after their lifetime. The mobile node must re-register before expiration to maintain connectivity:

Timeline:
  T=0:    Initial registration, lifetime=600s
  T=300:  MN sends re-registration (halfway point is common)
  T=300:  HA accepts, resets lifetime to 600s
  T=600:  (Would have expired, but re-registration extended it)
  T=600+: MN still reachable

Re-registration Strategy:
  - Register at T = initial_lifetime * 0.5 (safe margin)
  - If reply not received, retry with backoff
  - If lifetime is very short, register more frequently

Binding Expiration:

If the mobile node fails to re-register (battery died, moved away without deregistering, network failure), the binding expires:

1. HA binding timer fires at T=lifetime
2. Check: Is current_time > created_at + lifetime?
3. If yes:
   - Remove binding from cache
   - Stop proxy ARP for home address (optional)
   - Future packets: no tunnel, may go to home network directly
     or trigger ICMP Host Unreachable

Explicit De-registration:

When a mobile node returns home, it should explicitly deregister:

De-registration Request:
  Home Address: 10.0.1.50
  Care-of Address: 10.0.1.50 (same as home, or 0.0.0.0)
  Lifetime: 0  ← Key indicator of de-registration

HA Processing:
  1. Receive request with lifetime=0
  2. Remove binding for 10.0.1.50
  3. Stop tunneling
  4. Send gratuitous ARP to return L2 traffic to MN
  5. Reply with code=0 (de-registration accepted)

Lifetime Negotiation

The mobile node requests a lifetime, but the Home Agent may grant a shorter one. The HA's reply indicates the actual granted lifetime, which the MN must use for scheduling re-registration. HAs often cap lifetimes to force periodic re-registration, ensuring stale bindings don't persist.

Handoff: Changing Care-of Addresses

Mobile devices don't just move once—they continuously change their point of attachment as users move between WiFi networks, cellular towers, or geographic locations. Each movement may require a new Care-of Address, triggering a handoff process.

Handoff Scenarios:

Inter-network handoff: Moving from one network to a completely different network (e.g., home WiFi to coffee shop WiFi)
Inter-FA handoff: Moving between different Foreign Agents on different subnets
Intra-FA handoff: Moving within the same FA's coverage (no CoA change needed)
Technology handoff: Switching between network technologies (e.g., WiFi to cellular)

Converting Mermaid diagram...

Handoff Latency Analysis:

The time during which a mobile node is unreachable during handoff (packets sent to old CoA are lost) is called handoff latency:

Handoff Latency Components:

1. Movement Detection (L2 events, Agent Advertisement)  ~100-500ms
2. CoA Acquisition (DHCP or FA advertisement)          ~50-500ms  
3. Registration RTT (MN → HA → MN via FA)              ~20-200ms
4. Binding Update Processing at HA                      ~1-10ms

Total Typical Handoff Latency: 200ms - 1200ms

During this window:
- Packets to old CoA: Lost (old FA drops, or MN unreachable)
- New connections: Can't start until registration complete
- Existing connections: TCP will retransmit lost segments

Simultaneous Bindings:

To reduce packet loss during handoff, Mobile IP supports simultaneous bindings—maintaining bindings for both old and new CoAs temporarily:

Simultaneous Bindings:
  Registration Request:
    S-bit = 1 (request simultaneous binding)

  HA Binding Cache (during transition):
    10.0.1.50 → 172.16.5.1 (old CoA, expiring soon)
    10.0.1.50 → 192.168.1.1 (new CoA, fresh lifetime)

  HA Tunneling Behavior:
    - Send copy of packet to both CoAs
    - MN receives on whichever network has connectivity

  After old binding expires:
    10.0.1.50 → 192.168.1.1 (only new CoA remains)

Make-before-break vs. Break-before-make:

Pattern	Description	Packet Loss
Break-before-make	Disconnect from old, then connect to new	Higher (gap)
Make-before-break	Connect to new before disconnecting old	Lower (overlap)

Simultaneous bindings enable make-before-break handoffs, reducing packet loss significantly.

Fast Handoff Extensions

RFC 4881 (Low-Latency Handoffs) and RFC 5268 (Fast Handovers for Mobile IPv6) define mechanisms to pre-establish bindings before the mobile node moves, reducing handoff latency to tens of milliseconds—essential for real-time applications like VoIP.

Address Conflicts, NAT, and Edge Cases

Real-world deployments encounter various edge cases that complicate Care-of Address handling. Understanding these challenges is essential for troubleshooting and designing robust Mobile IP deployments.

Private Address Spaces and Conflicts:

If the visited network uses the same private address space as the home network, the mobile node may acquire a CoA that conflicts with its home address or home network:

Scenario:
  Home Network: 192.168.1.0/24
  MN Home Address: 192.168.1.50
  
  Visited Network: 192.168.1.0/24 (same prefix!)
  CoA from DHCP: 192.168.1.75

Problem:
  - Routing is ambiguous
  - MN can't distinguish home from foreign network
  - Return path for tunneled packets unclear

Solution:
  - Use globally unique home addresses when possible
  - Or use prefix-based home network detection, not just address

NAT Traversal Challenges:

When a mobile node is behind NAT, its CoA (the private address assigned by DHCP) is not globally routable:

NAT Scenario:
  MN obtains: 10.0.0.50 (private, behind NAT)
  NAT External: 203.0.113.10 (public)
  
  MN registers with CoA: 10.0.0.50
  HA tries to tunnel to: 10.0.0.50
  Result: FAILS - 10.0.0.50 not reachable from Internet
  
Solution: NAT Traversal for Mobile IP
  MN must:
  1. Detect it's behind NAT (STUN/TURN)
  2. Use public address or FA that NAT can reach
  3. Alternatively, use reverse tunneling only

UDP Encapsulation for NAT:

To traverse NAT, Mobile IP can use UDP encapsulation instead of raw IP-in-IP:

Standard IP-in-IP (doesn't traverse NAT):
  Outer IP: HA → Private CoA
  Inner IP: CN → MN Home
  [NAT has no UDP port to track, can't translate]

UDP Encapsulation (NAT-friendly):
  Outer IP: HA → NAT Public
  Outer UDP: src_port → MN registered port
  Inner IP: CN → MN Home
  [NAT can track UDP mapping, translate correctly]

Care-of Address Edge Cases
Edge Case	Problem	Solution
Same prefix at home& foreign	Can't detect foreign network	Use Agent Advertisements, not just prefix
CoA behind NAT	Global unreachability	NAT-T (UDP encapsulation), reverse tunnel only
DHCP lease expires	CoA invalid, packets lost	DHCP renew before Mobile IP re-registration
CoA exhaustion	No addresses available	Use FA-CoA, or wait for DHCP
IPv6 transition	Dual-stack complexity	Mobile IPv6 (MIPv6) or DSMIPv6

The NAT Problem is Serious

NAT significantly complicates Mobile IP deployment. Many modern solutions (like Mobile IPv6 or MOBIKE for IKEv2) handle NAT more gracefully. For IPv4 Mobile IP behind NAT, UDP encapsulation and careful registration port management are essential.

Care-of Address Security

The Care-of Address is a critical security point—an attacker who can register a false CoA can redirect all traffic for a victim mobile node. Understanding these threats and their mitigations is essential.

Threat 1: Redirection Attack

Attack Scenario:
1. Attacker learns victim's home address (10.0.1.50)
2. Attacker crafts Registration Request:
   - Home Address: 10.0.1.50 (victim)
   - CoA: 198.51.100.99 (attacker's machine)
3. If accepted, all traffic for victim goes to attacker

Mitigation: MN-HA Authentication
  - Attacker doesn't have shared secret
  - Can't create valid authenticator
  - HA rejects registration (code 67: auth failed)

Threat 2: Replay Attack

Attack Scenario:
1. Attacker captures valid Registration Request
2. Later replays it from different location
3. Attempts to reset CoA to old value

Mitigation: Identification field + Sequence checking
  - HA tracks last seen Identification per MN
  - Replayed requests have old Identification
  - Rejected with code 133 (Identification mismatch)

Threat 3: CoA Validation (Binding Attack on CN)

In route optimization (Mobile IPv6), the mobile node informs correspondent nodes directly of its CoA. This creates risk of attacks:

Binding Update Attack:
1. Attacker sends Binding Update to CN:
   "MN 10.0.1.50 is now at CoA 198.51.100.99 (attacker)"
2. CN sends traffic to attacker instead of real MN

Mitigation: Return Routability (RR) Procedure
  - CN challenges MN to prove reachability at claimed CoA
  - MN must receive keying material at both home addr AND CoA
  - Only legitimate MN can complete procedure

Threat 4: Flooding Attack via Home Agent

Amplification Attack:
1. Attacker registers MN with victim's IP as CoA
2. HA tunnels all traffic toward victim
3. Victim receives flood of unwanted encapsulated packets

Mitigation (partial):
  - HA rate limiting
  - CoA reachability verification (HA pings CoA)
  - Ingress filtering at source networks

CoA Security Best Practices

•Strong MN-HA authentication — Use HMAC-SHA256 or better, not MD5
•IPsec for control plane — Encrypt and authenticate registration messages
•IPsec for data plane — Encrypt tunneled traffic (ESP tunnel mode)
•Short binding lifetimes — Limit window for stale bindings
•Careful key management — Rotate shared secrets, use per-MN keys
•CoA reachability checks — HA can verify CoA is responsive before binding

Summary: The Care-of Address as Location Marker

The Care-of Address is the mechanism that makes Mobile IP work—it's the topologically correct address that enables packet routing to the mobile node's current location while the home address remains stable for application-level connections.

Key Takeaways

•CoA represents current location — It's the tunnel endpoint where the HA sends encapsulated packets destined for the MN's home address.
•Two CoA types exist — FA-CoA (shared, FA handles decapsulation) and Co-located CoA (unique, MN handles decapsulation).
•CoA acquisition varies — FA advertisement provides FA-CoA; DHCP, PPP, or static config provides CCoA.
•Bindings have lifecycles — Created on registration, refreshed on re-registration, expire without renewal, removed on de-registration.
•Handoffs update CoA — Moving between networks triggers new registration with new CoA; simultaneous bindings reduce packet loss.
•Security is critical — Authentication prevents attackers from registering false CoAs and hijacking mobile node traffic.

What's Next: Triangle Routing

Now that we understand Home Agents, Foreign Agents, and Care-of Addresses, we can examine the complete packet flow in Mobile IP. Triangle Routing describes the path packets take from correspondent to mobile node—a path that involves the home network even when more direct routes exist.

In the next page, we'll examine:

The complete triangle routing path
Why packets must traverse the home network
Efficiency problems with triangle routing
Route optimization as a solution

Page Complete

You now understand Care-of Addresses—the temporary location markers that enable packet delivery to mobile nodes. The CoA bridges the gap between stable identity (home address) and changing location, forming the essential mechanism that makes IP mobility possible.

4 / 5

Loading learning content...

Computer NetworksMobile IP

Mobile IP: Enabling Seamless Network Mobility

LevelAdvanced

Duration90 mins

TopicMobile IP

4 / 5

Care-of Address

The Mobile Node's Current Location

What You Will Learn

Care-of Address: Fundamental Concepts

Formal Definition (RFC 5944):

A Care-of Address is the termination point of a tunnel toward a mobile node, for datagrams forwarded to the mobile node while it is away from home. The protocol can use two different types of care-of address: a "foreign agent care-of address" is an address of a foreign agent with which the mobile node is registered, and a "co-located care-of address" is an externally obtained local address which the mobile node has associated with one of its own network interfaces.

The Two Address Identity:

A mobile node, when away from home, effectively has a dual identity:

Mobile Node's Dual Address Identity
Address Type	Purpose	Stability	Visibility
Home Address	Identity - Who the MN is	Permanent (doesn't change)	Visible to correspondents, used in TCP connections
Care-of Address	Location - Where the MN is now	Temporary (changes with movement)	Used for tunneling, hidden from correspondents

Converting Mermaid diagram...

Why Must CoA Be Topologically Correct?

IPv6 and Address Abundance

Care-of Address Types: FA-CoA vs. CCoA

Mobile IPv4 defines two types of Care-of Address, each with distinct characteristics, acquisition methods, and implications for the mobile node and network infrastructure.

Type 1: Foreign Agent Care-of Address (FA-CoA)

With FA-CoA, the mobile node uses the Foreign Agent's IP address as its Care-of Address:

Mobile Node Registration:
  Home Address: 10.0.1.50 (MN's permanent identity)
  Care-of Address: 172.16.5.1 (FA's address, shared with other MNs)
  Home Agent: 10.0.1.1

Binding at Home Agent:
  10.0.1.50 → 172.16.5.1

Characteristics:

Multiple mobile nodes share the same CoA
FA differentiates packets by inner destination address
MN doesn't need a unique routable address
Requires FA deployment on visited network

Converting Mermaid diagram...

Type 2: Co-located Care-of Address (CCoA)

With CCoA, the mobile node acquires its own unique IP address on the visited network:

Mobile Node Configuration:
  Interface: wlan0
  Home Address: 10.0.1.50 (configured statically or by Mobile IP)
  Care-of Address: 172.16.5.100 (obtained via DHCP on foreign network)

Mobile Node Registration:
  Home Address: 10.0.1.50
  Care-of Address: 172.16.5.100 (MN's own address)
  Home Agent: 10.0.1.1

Binding at Home Agent:
  10.0.1.50 → 172.16.5.100

Characteristics:

Each MN has unique CoA
MN receives and decapsulates tunneled packets directly
Works on any network with DHCP (no FA required)
Consumes one IPv4 address per mobile node

Detailed FA-CoA vs. CCoA Comparison
Aspect	FA Care-of Address	Co-located Care-of Address
Address Acquisition	From FA Agent Advertisement	From DHCP, static config, or PPP
Decapsulation Point	Foreign Agent	Mobile Node itself
IPv4 Address Usage	Efficient (shared)	One per MN (pressure on IPv4)
Infrastructure Needed	FA on visited network	Standard DHCP only
MN Implementation	Simpler (no tunnel handling)	Complex (tunnel decapsulation)
Registration Flag	D-bit = 0 (FA decapsulates)	D-bit = 1 (MN decapsulates)
NAT Traversal	Possible (FA has external IP)	Complex (MN behind NAT)
Typical Use Case	Operator-managed networks	Public WiFi, BYOD scenarios

The D-bit Flag

Care-of Address Acquisition Methods

Depending on the CoA type, mobile nodes use different mechanisms to obtain their Care-of Address when arriving on a foreign network.

Method 1: Foreign Agent Advertisement (for FA-CoA)

When a Foreign Agent is present, the mobile node learns the CoA from Agent Advertisements:

Converting Mermaid diagram...

Method 2: DHCP Acquisition (for CCoA)

Without a Foreign Agent, the mobile node obtains an address through standard DHCP:

1. MN connects to foreign network (e.g., WiFi association)
2. MN broadcasts DHCP Discover
3. DHCP server responds with Offer: 172.16.5.100/24
4. MN sends Request, receives Ack
5. MN configures interface with 172.16.5.100
6. MN uses 172.16.5.100 as Co-located CoA
7. MN sends Registration Request to HA:
   - Home Address: 10.0.1.50
   - Care-of Address: 172.16.5.100
   - D-bit: 1 (MN will decapsulate)

Method 3: PPP/IPCP (for CCoA)

On dial-up or point-to-point connections, the address is negotiated via IPCP:

PPP Connection:
  LCP negotiation
  Authentication (PAP/CHAP)
  IPCP negotiation:
    - NAS assigns IP: 172.16.5.200
    - MN uses 172.16.5.200 as CCoA

Method 4: Static Configuration (for CCoA)

In some scenarios, mobile nodes have pre-configured addresses:

Enterprise laptops with reserved addresses
IoT devices with SIM cards and static IP
VPN configurations with assigned addresses

DHCP Lease Considerations

Interface Configuration with Dual Addresses:

When using Co-located CoA, the mobile node's interface may need to be configured with both addresses:

Network Interface Configuration:
  Interface: wlan0
  Primary Address: 172.16.5.100/24 (CoA, for routing)
  Secondary Address: 10.0.1.50/32 (Home Address, for application binding)
  Default Gateway: 172.16.5.1

Routing Table:
  Destination        Gateway         Interface
  0.0.0.0/0         172.16.5.1      wlan0     # Default route
  10.0.1.0/24       tunnel0         -         # Home network via tunnel

This configuration allows:

Applications to continue using the home address for connections
Outgoing packets to use the CoA as source for tunnel encapsulation
Incoming tunneled packets to be received at the CoA

The Binding Lifecycle: From Creation to Expiration

Binding States:

Converting Mermaid diagram...

Binding Creation:

1. MN arrives on foreign network
2. MN obtains Care-of Address (FA or DHCP)
3. MN sends Registration Request:
   - Home Address: 10.0.1.50
   - Care-of Address: 172.16.5.23
   - Requested Lifetime: 600 seconds
   - Authentication
4. HA validates request
5. HA creates binding entry:
   {
     home_address: 10.0.1.50,
     care_of_address: 172.16.5.23,
     lifetime: min(requested, max_allowed),  // e.g., 600s
     created_at: current_time,
     sequence_number: request.identification
   }
6. HA sends Registration Reply (code=0)
7. HA begins tunneling packets for 10.0.1.50

Binding Refresh (Re-registration):

Bindings expire after their lifetime. The mobile node must re-register before expiration to maintain connectivity:

Timeline:
  T=0:    Initial registration, lifetime=600s
  T=300:  MN sends re-registration (halfway point is common)
  T=300:  HA accepts, resets lifetime to 600s
  T=600:  (Would have expired, but re-registration extended it)
  T=600+: MN still reachable

Re-registration Strategy:
  - Register at T = initial_lifetime * 0.5 (safe margin)
  - If reply not received, retry with backoff
  - If lifetime is very short, register more frequently

Binding Expiration:

If the mobile node fails to re-register (battery died, moved away without deregistering, network failure), the binding expires:

1. HA binding timer fires at T=lifetime
2. Check: Is current_time > created_at + lifetime?
3. If yes:
   - Remove binding from cache
   - Stop proxy ARP for home address (optional)
   - Future packets: no tunnel, may go to home network directly
     or trigger ICMP Host Unreachable

Explicit De-registration:

When a mobile node returns home, it should explicitly deregister:

De-registration Request:
  Home Address: 10.0.1.50
  Care-of Address: 10.0.1.50 (same as home, or 0.0.0.0)
  Lifetime: 0  ← Key indicator of de-registration

HA Processing:
  1. Receive request with lifetime=0
  2. Remove binding for 10.0.1.50
  3. Stop tunneling
  4. Send gratuitous ARP to return L2 traffic to MN
  5. Reply with code=0 (de-registration accepted)

Lifetime Negotiation

Handoff: Changing Care-of Addresses

Handoff Scenarios:

Inter-network handoff: Moving from one network to a completely different network (e.g., home WiFi to coffee shop WiFi)
Inter-FA handoff: Moving between different Foreign Agents on different subnets
Intra-FA handoff: Moving within the same FA's coverage (no CoA change needed)
Technology handoff: Switching between network technologies (e.g., WiFi to cellular)

Converting Mermaid diagram...

Handoff Latency Analysis:

The time during which a mobile node is unreachable during handoff (packets sent to old CoA are lost) is called handoff latency:

Handoff Latency Components:

1. Movement Detection (L2 events, Agent Advertisement)  ~100-500ms
2. CoA Acquisition (DHCP or FA advertisement)          ~50-500ms  
3. Registration RTT (MN → HA → MN via FA)              ~20-200ms
4. Binding Update Processing at HA                      ~1-10ms

Total Typical Handoff Latency: 200ms - 1200ms

During this window:
- Packets to old CoA: Lost (old FA drops, or MN unreachable)
- New connections: Can't start until registration complete
- Existing connections: TCP will retransmit lost segments

Simultaneous Bindings:

To reduce packet loss during handoff, Mobile IP supports simultaneous bindings—maintaining bindings for both old and new CoAs temporarily:

Simultaneous Bindings:
  Registration Request:
    S-bit = 1 (request simultaneous binding)

  HA Binding Cache (during transition):
    10.0.1.50 → 172.16.5.1 (old CoA, expiring soon)
    10.0.1.50 → 192.168.1.1 (new CoA, fresh lifetime)

  HA Tunneling Behavior:
    - Send copy of packet to both CoAs
    - MN receives on whichever network has connectivity

  After old binding expires:
    10.0.1.50 → 192.168.1.1 (only new CoA remains)

Make-before-break vs. Break-before-make:

Pattern	Description	Packet Loss
Break-before-make	Disconnect from old, then connect to new	Higher (gap)
Make-before-break	Connect to new before disconnecting old	Lower (overlap)

Simultaneous bindings enable make-before-break handoffs, reducing packet loss significantly.

Fast Handoff Extensions

Address Conflicts, NAT, and Edge Cases

Private Address Spaces and Conflicts:

If the visited network uses the same private address space as the home network, the mobile node may acquire a CoA that conflicts with its home address or home network:

Scenario:
  Home Network: 192.168.1.0/24
  MN Home Address: 192.168.1.50
  
  Visited Network: 192.168.1.0/24 (same prefix!)
  CoA from DHCP: 192.168.1.75

Problem:
  - Routing is ambiguous
  - MN can't distinguish home from foreign network
  - Return path for tunneled packets unclear

Solution:
  - Use globally unique home addresses when possible
  - Or use prefix-based home network detection, not just address

NAT Traversal Challenges:

When a mobile node is behind NAT, its CoA (the private address assigned by DHCP) is not globally routable:

NAT Scenario:
  MN obtains: 10.0.0.50 (private, behind NAT)
  NAT External: 203.0.113.10 (public)
  
  MN registers with CoA: 10.0.0.50
  HA tries to tunnel to: 10.0.0.50
  Result: FAILS - 10.0.0.50 not reachable from Internet
  
Solution: NAT Traversal for Mobile IP
  MN must:
  1. Detect it's behind NAT (STUN/TURN)
  2. Use public address or FA that NAT can reach
  3. Alternatively, use reverse tunneling only

UDP Encapsulation for NAT:

To traverse NAT, Mobile IP can use UDP encapsulation instead of raw IP-in-IP:

Standard IP-in-IP (doesn't traverse NAT):
  Outer IP: HA → Private CoA
  Inner IP: CN → MN Home
  [NAT has no UDP port to track, can't translate]

UDP Encapsulation (NAT-friendly):
  Outer IP: HA → NAT Public
  Outer UDP: src_port → MN registered port
  Inner IP: CN → MN Home
  [NAT can track UDP mapping, translate correctly]

Care-of Address Edge Cases
Edge Case	Problem	Solution
Same prefix at home& foreign	Can't detect foreign network	Use Agent Advertisements, not just prefix
CoA behind NAT	Global unreachability	NAT-T (UDP encapsulation), reverse tunnel only
DHCP lease expires	CoA invalid, packets lost	DHCP renew before Mobile IP re-registration
CoA exhaustion	No addresses available	Use FA-CoA, or wait for DHCP
IPv6 transition	Dual-stack complexity	Mobile IPv6 (MIPv6) or DSMIPv6

The NAT Problem is Serious

Care-of Address Security

Threat 1: Redirection Attack

Attack Scenario:
1. Attacker learns victim's home address (10.0.1.50)
2. Attacker crafts Registration Request:
   - Home Address: 10.0.1.50 (victim)
   - CoA: 198.51.100.99 (attacker's machine)
3. If accepted, all traffic for victim goes to attacker

Mitigation: MN-HA Authentication
  - Attacker doesn't have shared secret
  - Can't create valid authenticator
  - HA rejects registration (code 67: auth failed)

Threat 2: Replay Attack

Attack Scenario:
1. Attacker captures valid Registration Request
2. Later replays it from different location
3. Attempts to reset CoA to old value

Mitigation: Identification field + Sequence checking
  - HA tracks last seen Identification per MN
  - Replayed requests have old Identification
  - Rejected with code 133 (Identification mismatch)

Threat 3: CoA Validation (Binding Attack on CN)

In route optimization (Mobile IPv6), the mobile node informs correspondent nodes directly of its CoA. This creates risk of attacks:

Binding Update Attack:
1. Attacker sends Binding Update to CN:
   "MN 10.0.1.50 is now at CoA 198.51.100.99 (attacker)"
2. CN sends traffic to attacker instead of real MN

Mitigation: Return Routability (RR) Procedure
  - CN challenges MN to prove reachability at claimed CoA
  - MN must receive keying material at both home addr AND CoA
  - Only legitimate MN can complete procedure

Threat 4: Flooding Attack via Home Agent

Amplification Attack:
1. Attacker registers MN with victim's IP as CoA
2. HA tunnels all traffic toward victim
3. Victim receives flood of unwanted encapsulated packets

Mitigation (partial):
  - HA rate limiting
  - CoA reachability verification (HA pings CoA)
  - Ingress filtering at source networks

CoA Security Best Practices

•Strong MN-HA authentication — Use HMAC-SHA256 or better, not MD5
•IPsec for control plane — Encrypt and authenticate registration messages
•IPsec for data plane — Encrypt tunneled traffic (ESP tunnel mode)
•Short binding lifetimes — Limit window for stale bindings
•Careful key management — Rotate shared secrets, use per-MN keys
•CoA reachability checks — HA can verify CoA is responsive before binding

Summary: The Care-of Address as Location Marker

Key Takeaways

•CoA represents current location — It's the tunnel endpoint where the HA sends encapsulated packets destined for the MN's home address.
•Two CoA types exist — FA-CoA (shared, FA handles decapsulation) and Co-located CoA (unique, MN handles decapsulation).
•CoA acquisition varies — FA advertisement provides FA-CoA; DHCP, PPP, or static config provides CCoA.
•Bindings have lifecycles — Created on registration, refreshed on re-registration, expire without renewal, removed on de-registration.
•Handoffs update CoA — Moving between networks triggers new registration with new CoA; simultaneous bindings reduce packet loss.
•Security is critical — Authentication prevents attackers from registering false CoAs and hijacking mobile node traffic.

What's Next: Triangle Routing

In the next page, we'll examine:

The complete triangle routing path
Why packets must traverse the home network
Efficiency problems with triangle routing
Route optimization as a solution

Page Complete

4 / 5