(Message bjorn:5) Return-Path: bjorn@cs.pdx.edu Received: from sirius.cs.pdx.edu (sirius.cs.pdx.edu [204.203.64.13]) by rigel.cs.pdx.edu (8.8.6/8.8.6) with ESMTP id OAA16733 for ; Mon, 1 Sep 1997 14:10:24 -0700 (PDT) From: bjorn chambless Received: (from bjorn@localhost) by sirius.cs.pdx.edu (8.8.6/8.8.6) id OAA21620 for jrb@cs.pdx.edu; Mon, 1 Sep 1997 14:10:23 -0700 (PDT) Date: Mon, 1 Sep 1997 14:10:23 -0700 (PDT) Message-Id: <199709012110.OAA21620@sirius.cs.pdx.edu> Content-Type: text HARP - "Home Agent Redundancy Protocol" Bjorn Chambless Portland State University, Department of Computer Science Table of Contents 1. Introduction 1.1. Design Goals 1.2. Applicability 1.3. Terminology 1.4. Functional Requirements 2. Protocol Overview 2.1. Home Agent Failure 2.2. Home Agent Startup 3. Topology 3.1. Mobile Node Away 3.2. Mobile Node At Home 4. HARP Messages 4.1. Message Types and Functions 4.2. Message Formats 4.2.1. Harp Ping(HARP_PING) 4.2.2. Harp Ping Acknowledge(HARP_ACK) 4.2.3. Harp Registration Forward(HARP_FORWARD) 4.2.4. Harp Registration Dump Request(HARP_DUMP_REQ) 4.2.5. Harp Registration Dump(HARP_REG_DUMP) 5. State Diagrams 5.1. Home Agent States 5.2. Home Agent Mobile Node States 6. Security Considerations 1. Introduction Mobile IP, as specified in RFC 2002, is designed to allow a Mobile Node(MN) to change its point of attachment in the Internet up to once per second while enjoying seamless network connectivity. The MN is identified by it home IP address regardless of its current network location. Its mobility is not limited by conventional IP network boundaries. The MIP topography utilizes a router (Home Agent or HA) configured with a network interface which shares the Mobile Node's network prefix. As the Mobile Node's point of attachment changes, it registers its current location with this Home Agent. When the MN is away from its Home Network, the HA accepts packets addressed to the MN and tunnels them to the Mobile Node at its current point of attachment. This point of attachment is its Care of Address(COA) and may be provided by a Foreign Agent(FA) or be co-located Care of Address. In the Mobile IP system, as it is currently specified, a single HA services an MN. The MN is reliant on this Home Agent for its connectivity. Thus the HA represents a single point of failure for Mobile IP. Though only one Home Agent at a time services an MN, a Home Agent may be responsible for multiple Mobile Nodes. The failure of a single HA may then result in the loss of connectivity for numerous Mobile Nodes located throughout the Internet. This vulnerability is inconsistent with the fault tolerant nature of the Internet. Additionally redundancy is needed, however the current structure of the Mobile IP, together with the nature of the unicast routing infrastructure precludes the simultaneous use of multiple Home Agents. 1.1 Design Goals The Home Agent Redundancy Protocol (HARP) aims to remove the Home Agent as a single point of failure for Mobile IP. This is accomplished by allowing Home Agent redundancy to be incorporated into MIP. HARP is to ensure surviveability in the face of HA failure and/or localized network failures which may cause a Home Agent to become unreachable. The protocol is to be implemented entirely through the enhancement of Home Agent functionality. There are to be no additional responsibilities or modifications required of either Mobile Nodes or Foreign Agents. The system is to be transparent to both Mobile Nodes and Foreign agents. No network entities other than Home Agents should be aware of when the HARP system is in use or if/when a Home Agent failure has occurred. In general, the protocol must be scaleable and have minimal impact on network load and the allocation of computing resources by hosts engaged in Mobile IP. The security of the MIP system is not to be compromised, and the enhanced protocol should not require the addition of any new architectural entities to Mobile IP. 1.2 Applicability Home Agent Redundancy is designed to enhance the surviveability of any Mobile IP implementation which conforms to the RFC 2002 specification. Since Home Agents are the only entities requiring modification, HARP compliant agents remain compatible with Mobile Nodes and Mobility Agents which do not participate in HARP. Thus a HARP compliant Home Agent which also acts as a Foreign Agent may be utilized as the point of attachment by non-HARP MNs. Conversely, a Mobile Node served by HARP may use any MIP compliant Foreign Agent as its Care of Address. Home Agent Redundancy makes no assumptions about the physical media utilized by the Mobile IP environment. Therefore HARP does not limit the physical implementation of Mobile IP. 1.3 Terminology Home Agent Redundancy Protocol terminology uses and expands on the Mobile IP terminology presented in RFC 2002. The following terms are specific to the Home Agent Redundancy protocol. HARP - Home Agent Redundancy Protocol. co-HAs co-Home Agents - A pair of Home Agents acting in concert to provide connectivity to one or more Mobile Nodes. These hosts share an IP address on the Home Subnet but each has a uniquely identified interface outside of the Home Network. Co-HAs exchange registration information regarding Mobile Nodes and periodically test the status of their peer. Primary-HA Primary - The Home Agent of a co-HA pair which is currently receiving registration information directly from a MN. The Primary Home Agent shares this information with its co-HA which is acting as a Secondary(see Secondary) by forwarding registration packets. The Primary designation is subject to change, and may toggle repeatedly as the result of changes in the state of the unicast routing infrastructure. Secondary-HA Secondary - A Home Agent of a co-Agent pair which is receiving registration information about a given MN indirectly through its co-Home Agent which is acting as the Primary (see Primary). Home Network Home Subnet - The subnet containing both Home Agents and the home address of the Mobile Node. This subnet may be partitioned and/or virtual. The actual configuration of the Home Subnet is not relevant with respect to MIP and therefore need not be known by the MN. However, a partitioned subnet is recommended as it may provide additional surviveability in the event of localized network failure. Partitioned Subnet - A physically divided Home Subnet. Home Agents in a co-HA pair exist on a virtual subnet or home subnet implemented with a wireless communication medium must be considered partitioned, as link layer connectivity cannot be guaranteed between hosts. When the Home Subnet is not partitioned and the Address Resolution Protocol(ARP) is in use, ARP must be disabled on the Home Subnet interface of the Secondary Home Agent( see Secondary) to prevent address conflicts. Harp Port - The HARP port number is 1588 for both TCP and UDP connections. This port is unallocated as of RFC 1700. Away(MIP state) - The state of a Mobile Node, with respect to its Home Agent(s), in which datagrams addressed to the MN arrive at its Home-Subnet and are tunneled to the MN's Care Of Address by one of the Mobile Node's Home Agents. At Home(MIP state) - The state of a Mobile Node with respect to a Home Agent in which the MN's current point of attachment in the Internet is consistent with its IP address. In this state, the Mobile Node will receive packets directly. Home agents do not tunnel packets, but act as conventional routers for the Home Subnet. If the Home Network is partitioned, At Home state requires the MN be located on the same physical link as the Home Agent, otherwise the Mobile Node is in At CoHA state with respect to the Home Agent(see At CoHA). At CoHA(MIP state) - The state of of Mobile Node, with respect to a Home Agent, in which the MN's home subnet is partitioned and the Mobile Node is locationed on the same physical link as the HA's co-HA. In this case, packets addressed to the home subnet my arrive on a portion of the home subnet to which the Mobile Node has no link layer attachment. These packets must then be forwarded to the co-HA as the MN's COA. Initialization State (HA state) - Initial state of a HARP Home Agent which occurs at boot or when the Mobile IP daemon has been restarted. In this state the Home Agent seeks to establish a TCP connection to its co-HA and request Mobile Node registration information. The Home agent will not accept TCP connections from its co-HA in this state. Running State (HA state) - Second state of a HARP Home Agent in which the HA will tunnel packets to a Mobile Node's current Care of Address. A Home Agent in this state will accept a TCP connection from its co-HA and share Mobile Node registration information through this connection. 1.4. Functional Requirements a) The Home Agent Redundancy Protocol utilizes a pair of Home Agents acting in concert. Two is specified as the number of Home Agents as additional HAs would have minimal impact on survivability while greatly increasing the complexity of the protocol. b) The number of Mobile Nodes which may utilize a given pair of Home Agents in the Home Agent Redundancy Protocol is not limited by HARP. c) A Home Agent may have one and only one co-Home Agent. HAs in Home Agent Redundancy Protocol operate as a mutually aware pair. d) Co-Home Agents are not staticly configured to be "Primary" and "Secondary". Primary and Secondary status is determined solely by the current relationship between a HA and a MN. The Home Agent which is receiving registration information directly is the Primary Home Agent, making the remaining Home Agent the Secondary. e) A Mobile Node utilizing HARP need not be aware that Home Agent Redundancy is in effect, nor is the MN to be aware of the existence of multiple Home Agents. f) The Primary HA will share all MN registration information with the Secondary HA. If there is any change in registration status, the Primary Home Agent will immediately update the Secondary HA with the new information in order to keep both HAs in sync with respect to the MNs current COA and state. g) A Home Agent must accept and forward packets received which are addressed to an MN for which the HA is maintaining registration information. h) The Home Agent Redundancy Protocol partially relies on the interior domain routing protocols(eg. RIP, OSPF). The speed with which Mobile IP can recover from a Home Agent failure or network partition is partially determined by the speed with which these protocols establish a new unicast routing path to the Home Subnet. 2. Protocol Overview Home Agents in a co-HA pair share a single IP address on the Mobile Node's Home Network, but maintain distinct IP address outside the Home Subnet. In the case of a non-partitioned Home Subnet, this necessitates the disabling of ARP on the Home Network interface of the Secondary Home Agent. Both Home Agents will accept packets addressed to the MN while its point of attachment is away from the Mobile Node's home subnet. In this way the Home Agents become interchangeable for the purposes of Mobile IP. The Mobile Node is unaware of Home Agent redundancy and sends registration information only once to the shared HA address located on the Home Subnet. Due to the non-deterministic nature of unicast routing, this information may be received by either Home Agent. Since either Home Agent may be recognized by the routing infrastructure as a valid path to the Mobile Node's Home Network, it is necessary for both Home Agents to maintain valid forwarding information for Mobile Nodes. A packet may then be tunneled to a Mobile Node's current COA by either HA. Thus in the event of a Home Agent failure, packets addressed to the MN will continue to be forwarded, and connectivity is not lost. It is the responsibility of a HA to share registration information with its co-HA so that both are able to reliably forward packets. Since the Mobile Node's Home Network may be virtual and/or partitioned, the Home agents may be located in widely separated locations, yet both may route to the Home Network. This redunces the threat that a localized network failure will affect Mobile IP, since a route may still exist to the partitioned Home Network. In the event that a Home Agent fails or the network between a Mobile Node's COA and the HA becomes partitioned, the existing Internet routing protocols( RIP, OSPF ) will ensure that the routing path converges to the remaining Home Agent as the remaining path to the Home Subnet. At boot, a HARP Home Agent will attempt to establish a TCP connection with its co-HA at its Harp Port. If it is successful, this connection is used to pass current Mobile Node registration information from a running HA to a recently started co-HA. When all relevant information has been passed and both Home Agents are synchronized with respect to MN Registrations, the TCP connection is closed. When both Home Agents are in Running State all communication is handled via UDP packets. Co-HAs periodically send "pings" and "ping acknowledgements" between them so that each my verify the status of its co-HA. A HA will continue its attempts to "ping" it Co-HA and pass registration information regardless of the status of the co-HA or the intervening connection. 2.1 Topology The following diagram roughly illustrates the topology of the Home Agent Redundancy Protocol when a Mobile Node is away from its Home Subnet: HA(1)----b----HA(2) | | | | c d | | | | -------CH------ \ \ a \ \ MN diagram 1. Explanation: Links "c" & "d" represent a possible network connection between a Mobile Node(MN) and its Home Agents(HA(1), HA(2)). It should be noted that these are also the connections between the respective Home Agents and the Internet at large(CH). Due to the nature of unicast routing, datagrams addressed to the Mobile Node's Home Network may travel either through link "c" or "d". This path reflects the structure of the network as represented in the state of the local unicast routing infrastructure. This routing path will change in the event that the current path fails either due to partitioning or the failure of a router for the Home Network, ie. a HA. In this event, the Home Network is determined to be unreachable through the existing path and the system will converge to the alternate routing path, ie. the other HA. Link "b" is the connection path between a co-HA pair. Depending on the state of the Home Agents, this may be either a TCP connection or a path for UDP datagrams. Since the Home Network may be either partitioned or virtual, link "b" might be considered an abstraction. The actual path may incorporate parts of "c" or "d". It is then the case that a partition of "c" or "d" will also be a partition of link "b". This prevents the sharing of registration information between co-HAs, however, since the reachable HA is now guaranteed to receive both registration updates and datagrams to be tunneled, this does not affect connectivity for the Mobile Node. This topology increases the surviveability of Mobile IP by allowing the system to maintain Mobile Node connectivity under the following conditions: - The failure of either Home Agent. In this event, the surviving HA will be the sole destination for IP packet addressed to the Home Subnet. Since packets addressed to either HAs or the MN will have a destination address located on the Home Subnet and would no longer be deliverable to the failed Home Agent, local routers will adjust and begin routing packets to the remaining HA. MIP will then continue to function as a single HA Mobile IP implementation using the surviving Home Agent. - The partitioning of either link "c" or "d" This will result in the only destination for packets originating at the Mobile Node and addressed to either HA to be the Home Agent reachable via the unpartitioned link. Thus local unicast routing protocols will adapt and deliver packets to the reachable HA. This situation is very similar to the failure of a Home Agent. - The partitioning of link "b" The loss of the link connecting the Home Agent pair will leave the HAs unable to exchange registration information. The Home Agents will continue to forward packets to the last known COA for the MN. It is likely that this condition will be accompanied by a partitioning of link "c" or "d" (as described above). The reachable HA will then be the recipient of both registration information from the Mobile Node and packets requiring tunneling to the MN's COA. The following diagram illustrates the alternate HARP topology in which the Mobile Node's point of attachment to the internet is the Home Subnet: MN HA(1)-----b------HA(2) | | | | c d | | | | |------CH--------| diagram 2. Explanation: The MN is located on the Home Subnet and will be physically located on the same link as at least one Home Agent. If both HAs exist on the same link, the HAs no longer act as proxies for the MN and the Mobile Node receives packets addressed to it directly. If the Home Subnet is partitioned, the HAs are configured such that the secondary-HA(located on a separate physical link from the MN) will continue accepting packets addressed to the MN and tunnel them to the Primary HA via link "b". The Care of Address for the Mobile Node, according to the Secondary-HA, will then be the address of its co-HA which is acting as the Primary Home Agent. This topology increases the surviveability of Mobile IP by allowing the system to maintain connectivity under the following conditions: - The failure of the Secondary-Home Agent This HA will no longer be a path to the Home Subnet, so unicast routing will ensure packets are delivered to the Primary HA via link "c". - The partitioning of link "d" In terms of routing, this represents the same situation as the the failure of the Secondary-HA. Again, datagrams will be delivered to the Primary-HA as the remaining path to the Home Subnet. - The failure of the Primary-Home Agent If the Home Subnet is not virtual and not partitioned, packets will be routed along the remaining path to the Home Subnet via the Secondary-Home Agent. If the Home Subnet is partitioned, the loss the the Primary-Home agent will mean the loss of the only route to the link. Since there is no network path to the MN's current location, the MN will remain without connectivity until either the router is restored or the MN registers with another mobility agent. 4. HARP Messages HARP messages are sent between co-HAs at regular intervals in order to exchange registration information and test the integrity of the the inter co-HA connection. HARP uses either TCP and UDP depending on the message type. TCP is used to transfer complete Mobile Node registration tables, while UDP is used for incremental registration updates and connectivity testing. The Home Agent Redundancy Protocol relies on five messages types: HARP_PING - Message sent at configurable intervals from one co-HA to another to confirm connectivity. This message type utilizes the User Datagram Protocol. If the Home Agent receives no response from its co-HA peer, the co-HA is assumed to be unreachable. HARP_ACK - Sent in response to a ping to acknowledge that the PING message has been received. This message type utilizes the User Datagram Protocol. HARP_FORWARD - This message consists of an encapsulated Mobile Node registration message which is tunneled from the receiving Home Agent to its co-HA. This information is used to update the co-HA's registration tables. This message type uses UDP. HARP_REG_REQ - A message requesting all Mobile Node registration information. This is the first message sent upon establishment of an inter-co-HA TCP connection. This messages type utilizes TCP. HARP_REG_DUMP - TCP message which contains all Mobile Node registration information maintained by a Home Agent. This message is sent in response to a HARP_REG_REQ. 4.2. Message Formats All HARP messages are structured in a Tag, Length, Data format. eg.: +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | Data ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- 4.2.1 Harp Ping ( HARP_PING ) 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | HARP_PING | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Harp Ping messages consist of four bytes of type followed by four bytes giving the data field size. This field is always zero in the case of Harp Ping. 4.2.2. Harp Ping Acknowledge( HARP_ACK ) 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | HARP_ACK | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ A Harp Ping Acknowledge message is sent in response to a Harp Ping. This message consists of four bytes of type followed by two bytes of data field size. The size field is always zero in the case of Harp Ping Acknowledge. 4.2.3. Harp Registration Forward 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | HARP_FORWARD | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Size of Mobile IP registration packet | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Mobile IP registration packet ... | | | Harp Registration Forward messages are used to encapsulate and tunnel registration updates received from a Mobile Node. They are sent between co-HAs as a means of tunneling registration information. The message consists of four bytes of type followed by four bytes indicating the length of a Mobile IP registration packet. The Data field is a Mobile IP registration packet of the size indicated by the size field. 4.2.4 Harp Dump Request ( HARP_DUMP_REQ ) 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | HARP_DUMP_REQ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The Harp Dump Request message consists of four bytes of type followed by four bytes giving the size of the data field, which is always zero. A HARP_DUMP_REQ is passed from a Home Agent in Initializing State to its co-HA through the inter-co-HA TCP connection. 4.2.5 Harp Registration Dump ( HARP_REG_DUMP ) 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | HARP_REG_DUMP | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Number of Registrations | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | HARP_FORWARD(s) ... | | | A Harp Registration Dump message is sent in response to a Harp Dump Request. It contains the registration information for all Mobile Nodes serviced by a given co-HA pair. This message consists of four bytes designating the message type, followed by four bytes containing the number of Mobile Node registrations(N) followed by N HARP_FORWARD messages of the previously specified format. 5. State Diagrams The following state diagrams illustrate the possible states for HARP Home Agents. 5.1. Home Agent States: ------------------- | | | Initializing | | | ------------------- /\ /\ / \ / \ / \ / \ / \ / \ \/ \/ --------------------- --------------------- | Running |<--->| Running | | co-HA Reachable | | co-HA UnReachable | --------------------- --------------------- Explanation: In "Initializing" state the Home Agent attempts to establish a TCP connection to its co-HA and request Mobile Node registration information. Depending on whether this effort is successful, the HA will either enter "Running / co-HA Reachable" or "Running / co-HA UnReachable". In either of these states the Home Agent will forward packets and will accept TCP connections from its co-HA. The Home Agent may transition between "Reachable" and "UnReachable" based on responses received from its co-HA. The Home Agent may only re-enter the Initializing state if the Mobile IP daemon is shut down. 5.2. Home Agent-Mobile Node States: +-------------+ +-------------+ | | | | | At Home |<--------------->| At co-HA | | | | | +-------------+ +-------------+ ^ ^ ^ ^ | \ / | | \ / | | \ / | | \ / | | \ / | | \ / | | \ / | | X | | / \ | | / \ | | / \ | | / \ | | / \ | | / \ | | / \ | v v v v +-------------+ +-------------+ | | | | | Away |<--------------->| No State | | | | | +-------------+ +-------------+ Explanation: The diagram depicts all possible HA-MN relational states. Transitions between any two states are possible in the HARP model. State changes may occur due to: received registration messages, state timeouts or forwarded registration messages. 'No State' is the initial state of a Mobile Node visa-vis its Home Agent(s). In this state the HA has no information on the current location of the MN and is unable to forward packets addressed to the Mobile Node. A Mobile node my reenter 'No State' from another relational state if the registration information maintained by its Home Agent(s) times out. A Mobile Node is 'Away' when its current point of attachment to the internet is not the Home Subnet. In this state the Home Agent(s) tunnel packets addressed to the MN to the Mobile Node's care of address. A Mobile node will enter 'Away' state with respect to a Home Agent when the HA receives a registration packet from the MN(either directly or forwarded) which includes a Care of Address from a point of attachment not located on the Home Network. When an MN is 'At Home', the MN's point of attachment is consistent with the Mobile Node's IP address and the MN is located on the same physical link as the Home Agent. The Home Agent does not tunnel packets addressed to the Mobile Node, but simply acts as a router for the Home Subnet. A Mobile Node will enter 'At Home' state with respect to a given Home Agent when the HA receives a registration packet from the MN indicating the MN's current point of attachment is located on the Home Network. 'At co-HA' occurs when the Mobile Node is 'At Home' in relation to the Primary HA. However the Home Subnet is partitioned and the Mobile Node is not located on the same physical link as the Home Agent. Packets arriving at the Secondary Home Agent must be tunneled to the Primary HA for delivery to the Mobile Node. This state only exists in topographies in which the Home Subnet is partitioned or virtual. A Mobile Node will enter this relational state when a forwarded registration packet is received by the Secondary HA indicating the Node's current COA is located on the Home Network. 6. Security Considerations The term "security" can be divided to two general notions: that of surviveability, and that of privacy. Implementation of the Home Agent Redundancy Protocol may affect both, though may only increase security with respect to surviveability. In terms of surviveability, HARP inhances security by making Mobile IP less susceptible to both network based denial of service attacks, attacks directed toward a host acting as a Home Agent, and non-malicious network failure. Redundancy increases the amount of infrastructure that must be disable before the Mobile Node connectivity is lost, thereby increasing security. As the Home Agent Redundancy Protocol is an extension to Mobile IP, privacy depends on the security of the base implementation. If the implementation sends all MIP packets "in the clear", security is hardly compromised by a redundancy protocol which does the same. Likewise if a Mobile IP system encrypts all traffic, the same precautions should be taken with HARP. The Home Agent Redundancy Protocol is designed to easily integrate into the existing Mobile IP security environment, allowing authentication or encryption measures (eg. IPSEC) incorporated in the base implementation to be used to secure HARP. Since HARP communications repeat the information transmitted by conventional Mobile IP, and since these communication are likely to traverse a less hostile path, extension of the same security precautions should not increase the vulnerability of the system.