101
0/240
Loading content...
While the Home Agent serves as the permanent anchor for mobile nodes, what happens at the destination end of the tunnel? When a mobile device arrives on a new network—whether it's a coffee shop WiFi, a cellular network, or a corporate branch office—it needs assistance to integrate into that network and receive tunneled traffic.
Enter the Foreign Agent (FA): a router on the visited network that provides mobility services to visiting mobile nodes. The Foreign Agent acts as the local representative, advertising its presence, relaying registration requests, and often serving as the tunnel endpoint that decapsulates packets destined for mobile nodes.
Think of the Foreign Agent as an embassy or consulate in a foreign country—it provides essential services to visitors who are far from home, acting as an intermediary between them and their home infrastructure.
By the end of this page, you will understand the Foreign Agent's architecture and functions, how mobile nodes discover FAs through agent advertisements, the difference between FA-based and co-located Care-of Addresses, and the specific scenarios where Foreign Agents provide value over direct Mobile Node-Home Agent communication.
The Foreign Agent (FA) is a router on a network visited by a mobile node that provides routing services to registered mobile nodes. It decapsulates and delivers datagrams that were tunneled by the mobile node's home agent.
Formal Definition (RFC 5944):
A Foreign Agent is a router on a mobile node's visited network which provides routing services to the mobile node while registered. The foreign agent detunnels and delivers datagrams to the mobile node that were tunneled by the mobile node's home agent.
Why Does the Foreign Agent Exist?
The Foreign Agent isn't strictly required for Mobile IP to function—mobile nodes can communicate directly with their Home Agent using a "co-located" Care-of Address. However, Foreign Agents provide several significant benefits:
Core Responsibilities of a Foreign Agent:
When a mobile node arrives on a new network, its first task is to determine whether it's on its home network or a foreign network, and if foreign, whether a Foreign Agent is available. This is accomplished through the Agent Discovery mechanism.
Agent Discovery is based on ICMP Router Discovery (RFC 1256) with extensions for mobility:
Agent Advertisement Message:
The Agent Advertisement extends the standard ICMP Router Advertisement with a Mobility Agent Advertisement Extension:
Message Structure:
ICMP Router Advertisement Header (RFC 1256):
┌─────────────────────────────────────────────────────────────┐
│ Type (9) │ Code (0) │ Checksum │
├─────────────────────────────────────────────────────────────┤
│ Num Addrs │ Addr Size │ Lifetime │
├─────────────────────────────────────────────────────────────┤
│ Router Address[1] │
├─────────────────────────────────────────────────────────────┤
│ Preference Level[1] │
└─────────────────────────────────────────────────────────────┘
Mobility Agent Advertisement Extension:
┌─────────────────────────────────────────────────────────────┐
│ Type (16) │ Length │ Sequence Number │
├─────────────────────────────────────────────────────────────┤
│ Registration Lifetime │R│B│H│F│M│G│r│T│ Reserved │
├─────────────────────────────────────────────────────────────┤
│ Care-of Address[1] │
├─────────────────────────────────────────────────────────────┤
│ Care-of Address[2] │
├─────────────────────────────────────────────────────────────┤
│ ... │
└─────────────────────────────────────────────────────────────┘
| Flag | Name | Meaning When Set |
|---|---|---|
| R | Registration Required | MN must register through FA even for direct Internet access |
| B | Busy | FA is too busy to accept more registrations |
| H | Home Agent | This agent offers Home Agent services |
| F | Foreign Agent | This agent offers Foreign Agent services |
| M | Minimal Encapsulation | FA supports minimal encapsulation (RFC 2004) |
| G | GRE Encapsulation | FA supports GRE encapsulation (RFC 2784) |
| r | Reserved | Reserved for future use |
| T | Reverse Tunnel | FA supports reverse tunneling |
Agent Detection Logic:
Mobile nodes use Agent Advertisements to determine their network context:
def process_agent_advertisement(advert):
if advert.router_address == my_home_agent:
# We're on the home network
if currently_registered:
deregister_from_home_agent()
return HOME_NETWORK
elif advert.has_mobility_extension:
if advert.foreign_agent_flag:
# FA available on this foreign network
initiate_registration_via_fa(advert.care_of_address)
return FOREIGN_NETWORK_WITH_FA
elif advert.home_agent_flag and not advert.foreign_agent_flag:
# Another home network (not ours)
obtain_colocated_coa()
return FOREIGN_NETWORK_NO_FA
else:
# No mobility agent on this network
obtain_colocated_coa()
return FOREIGN_NETWORK_NO_FA
Foreign Agents typically advertise every 1-10 seconds. More frequent advertisements allow faster detection of FA availability but consume more bandwidth. Mobile nodes can also send Agent Solicitations for immediate discovery when they detect a network change.
The Foreign Agent's internal architecture is optimized for handling visiting mobile nodes, with components focused on advertisement, registration relay, and packet processing for visitors.
Key Architectural Components:
| Component | Function | Implementation Details |
|---|---|---|
| Agent Advertiser | Broadcasts FA presence | Periodic ICMP timer, multicast to 224.0.0.1 |
| Solicitation Handler | Responds to MN queries | ICMP type 10 listener, immediate advertisement response |
| Visitor List | Tracks registered MNs | Table: MN home addr, HA addr, registration lifetime |
| Registration Relay | Forwards requests to HA | UDP client to HA port 434, adds FA extensions |
| Tunnel Endpoint | Decapsulates HA tunnels | IP-in-IP/GRE decapsulation, protocol 4/47 handler |
| Local Delivery | Sends packets to MN | ARP resolution, Layer 2 delivery on local subnet |
The Visitor List:
Unlike the Home Agent's binding cache, the Foreign Agent maintains a Visitor List that tracks mobile nodes currently registered through it:
Visitor List Entry Structure:
├── Mobile Node Home Address: 10.0.1.50
├── Mobile Node Link-Layer Address: AA:BB:CC:DD:EE:FF
├── Home Agent Address: 10.0.1.1
├── Registration Identification: 0x12345678ABCDEF01
├── Registration Lifetime: 600 seconds
├── Time Registered: 1705312200
├── UDP Source Port: 54321 (for return path)
└── Flags:
├── Reverse Tunnel Active: true
└── Broadcast Forwarding: false
The visitor list serves two primary purposes:
When a mobile node wants to register with its Home Agent, the Foreign Agent can serve as an intermediary, relaying registration messages. This provides several advantages and involves specific processing at the FA.
Registration Flow Through Foreign Agent:
FA Processing of Registration Request:
def handle_registration_request(request, mn_link_addr):
# Validate basic request format
if not request.is_valid():
return send_reply(code=POORLY_FORMED_REQUEST)
# Check if we can accept this MN
if visitor_list.is_full():
return send_reply(code=INSUFFICIENT_RESOURCES)
if request.lifetime > MAX_REGISTRATION_LIFETIME:
request.lifetime = MAX_REGISTRATION_LIFETIME
# Add FA's Care-of Address if not already present
if request.care_of_address == 0:
request.care_of_address = my_care_of_address
# Create pending entry
pending_registrations[request.identification] = {
'mn_home_addr': request.home_address,
'mn_link_addr': mn_link_addr,
'request_time': now(),
'mn_source_port': request.udp_source_port
}
# Forward to Home Agent
forward_to_ha(request, request.home_agent_address)
FA Processing of Registration Reply:
def handle_registration_reply(reply):
# Find pending request
pending = pending_registrations.get(reply.identification)
if not pending:
return # No matching request, discard
if reply.code == 0: # Accepted
# Add to visitor list
visitor_list.add({
'home_address': pending['mn_home_addr'],
'link_address': pending['mn_link_addr'],
'lifetime': reply.lifetime,
'registered_at': now()
})
# Clean up pending entry
del pending_registrations[reply.identification]
# Forward reply to MN
send_to_mn(reply, pending['mn_link_addr'], pending['mn_source_port'])
While MN-HA authentication is mandatory, MN-FA authentication is optional. When used, it provides additional assurance that the mobile node is authorized to use the Foreign Agent's services. Network operators may require this to control who can consume FA resources.
The Foreign Agent serves as the tunnel endpoint for packets sent by the Home Agent. Understanding how the FA processes tunneled packets is essential for comprehending the complete data path in Mobile IP.
Tunnel Decapsulation Process:
When a packet arrives at the Foreign Agent with an outer destination address matching the FA's Care-of Address and an IP protocol number indicating encapsulation (4 for IP-in-IP, 47 for GRE):
Incoming Tunneled Packet:
┌─────────────────────────────────────────┐
│ Outer IP Header │
│ Source: 10.0.1.1 (Home Agent) │
│ Dest: 172.16.5.1 (FA Care-of Addr) │
│ Protocol: 4 (IP-in-IP) │
├─────────────────────────────────────────┤
│ Inner IP Header │
│ Source: 203.0.113.100 (Correspondent) │
│ Dest: 10.0.1.50 (MN Home Address) │
│ Protocol: TCP (6) │
├─────────────────────────────────────────┤
│ TCP Header + Payload │
└─────────────────────────────────────────┘
After FA Decapsulation:
┌─────────────────────────────────────────┐
│ Inner IP Header (now outer) │
│ Source: 203.0.113.100 (Correspondent) │
│ Dest: 10.0.1.50 (MN Home Address) │
│ Protocol: TCP (6) │
├─────────────────────────────────────────┤
│ TCP Header + Payload │
└─────────────────────────────────────────┘
FA Decapsulation and Delivery Algorithm:
def handle_tunneled_packet(outer_packet):
# Verify this is meant for us
if outer_packet.destination != my_care_of_address:
return # Not for us
# Extract inner packet
if outer_packet.protocol == 4: # IP-in-IP
inner_packet = decapsulate_ipip(outer_packet)
elif outer_packet.protocol == 47: # GRE
inner_packet = decapsulate_gre(outer_packet)
else:
return # Unknown encapsulation
# Validate inner packet has registered MN destination
mn_home_addr = inner_packet.destination
visitor = visitor_list.lookup(mn_home_addr)
if visitor is None:
# MN not in visitor list - might have left
send_icmp_unreachable(outer_packet.source)
return
if visitor.is_expired():
# Registration expired
visitor_list.remove(mn_home_addr)
send_icmp_unreachable(outer_packet.source)
return
# Deliver to MN via Layer 2
mn_link_addr = visitor.link_layer_address
deliver_locally(inner_packet, mn_link_addr)
The FA caches the mobile node's MAC address during registration. This avoids ARP overhead for every delivered packet. When the MN sends its registration request, the FA learns the MN's MAC from the Ethernet frame and stores it in the visitor list.
Handling Visitor List Expiration:
When a visitor list entry expires (the MN didn't re-register), the FA takes cleanup actions:
This expiration mechanism ensures the FA doesn't indefinitely hold entries for mobile nodes that have left without explicit deregistration (e.g., battery died, moved to different network).
Mobile IP supports two distinct modes of operation based on whether a Foreign Agent is used. Understanding these modes is critical for deployment decisions.
Foreign Agent Care-of Address (FA-CoA):
In this mode, the mobile node uses the Foreign Agent's IP address as its Care-of Address:
Co-located Care-of Address (CCoA):
In this mode, the mobile node obtains its own IP address (typically via DHCP) and uses that as its Care-of Address:
| Aspect | FA Care-of Address | Co-located Care-of Address |
|---|---|---|
| Address Consumption | One address per FA (efficient) | One address per MN (IPv4 pressure) |
| Infrastructure Required | FA must be deployed | Only DHCP needed |
| MN Complexity | Lower (FA handles decapsulation) | Higher (MN decapsulates) |
| Deployment Flexibility | Limited to networks with FA | Works on any network |
| Path Latency | Slightly higher (extra hop) | Lower (direct delivery) |
| Ingress Filtering | No issues (FA addr is local) | May fail (MN addr not in local prefix) |
| Scalability | FA can be bottleneck | Scales with network capacity |
Ingress Filtering and the CCoA Challenge:
When a mobile node with a co-located CoA sends packets, the source address is its home address (for connection continuity), not the CoA. Network operators often implement ingress filtering (BCP38/RFC 2827), which drops packets with source addresses outside the local prefix.
Example problem:
MN on network 172.16.5.0/24 sends packet:
Source: 10.0.1.50 (home address)
Dest: 203.0.113.100 (correspondent)
Ingress filter at 172.16.5.0/24 gateway:
"10.0.1.50 is not in 172.16.5.0/24 - DROP!"
Solution: Reverse Tunneling (covered in detail later)
The MN encapsulates outgoing packets and sends them through a tunnel to the HA. The outer source is the CoA (topologically correct), so ingress filters pass it.
In the early 2000s when Mobile IPv4 was deployed, FA-CoA was strongly preferred to conserve IPv4 addresses. Today, with CGN (Carrier-Grade NAT) and IPv6 deployment, the address conservation benefit of FA-CoA is less critical, and the deployment simplicity of CCoA (requiring no special infrastructure) is often preferred.
Standard Mobile IP handles packets to the mobile node (via HA tunneling) but doesn't address packets from the mobile node. When a mobile node sends packets, it uses its home address as the source (to maintain transport connections), which can trigger ingress filtering.
Reverse Tunneling solves this by having the MN tunnel its outgoing packets back to the Home Agent, which then forwards them into the Internet.
Reverse Tunnel Flow:
Reverse Tunneling Modes:
1. MN Encapsulation (Co-located CoA):
MN creates:
Outer IP: Src=CoA, Dst=HA
Inner IP: Src=HomeAddr, Dst=CN
Sends directly to HA.
2. FA Encapsulation (FA-CoA):
MN sends regular packet: Src=HomeAddr, Dst=CN
FA intercepts, encapsulates:
Outer IP: Src=FA, Dst=HA
Inner IP: Src=HomeAddr, Dst=CN
Forwards to HA.
Requesting Reverse Tunneling:
The mobile node requests reverse tunneling during registration by setting the T (Tunnel) flag in the Registration Request. Both the FA and HA must support reverse tunneling for this to work.
The Foreign Agent provides critical services for mobile nodes visiting a foreign network. While not strictly required (co-located CoA mode works without FA), Foreign Agents offer significant benefits for address conservation, MN simplicity, and ingress filter compatibility.
What's Next: Care-of Address
Now that we understand both the Home Agent and Foreign Agent, we need to dive deeper into the Care-of Address concept. This is the temporary address that represents the mobile node's current location and serves as the tunnel endpoint.
In the next page, we'll examine:
You now understand the Foreign Agent's role in Mobile IP—acting as the local helper on visited networks. The FA provides agent discovery, registration relay, tunnel termination, and optional reverse tunneling services to enable seamless mobility for visiting devices.