Cisco Systems DL-2159-05 The Proxy Mobile IP Setup Page

6-11

Cisco Aironet 1200 Series Access Point Software Configuration Guide

OL-2159-05

Chapter6 Configuring Proxy M obile IP

The Proxy Mobile IP Setup Page

Data packets addressed to the visiting client are routed to its home network, where the home agent

intercepts and tunnels them to the care-of address toward the visiting client. Tunneling has two primary

functions: encapsulation of the data packet to reac h the tunnel endpoint, and decapsulation when the

packet is delivered at that endpoint. The tunnel mode that the access point supp orts is IP Encapsulation

within IP Encapsulation.

Typically, the visiting client sends packets as it normally would. The access point intercepts these

packets and sends them to the foreign agent, which routes them to their final destination, the

correspondent node.

Mobile IP uses a strong authentication scheme to protect commun ications to and from visiting clients.

All registration messages between a visiting client and the home agent must contain the mobile -home

authentication extension (MHAE). Proxy Mobile IP also implements this requirement in the registration

messages sent by the access point on behalf of the visiting clients to the home agent.

The integrity of the registration messages is protected by a shared 128-bit key between the access point

(on behalf of the visiting client) and the home agent. You can enter the shared key on the access point or

on a RADIUS server.

The keyed message digest algorithm 5 (MD5) in prefix+suffix mode is used to compute the authen ticator

value in the appended MHAE. Mobile IP and proxy Mobile IP also support the hash-based message

authentication code (HMAC-MD5). The receiver compares the authenticator value it computes over the

message with the value in the extension to verify the authenticity.

Optionally, the mobile-foreign authentication extension and the foreign-home authentication extension

are appended to protect message exchanges between a vis iting client and foreign agent and between a

foreign agent and home agent, respectively.

Replay protection uses the identification field in the registration messages as a timestamp and sequence

number. The home agent returns its time stamp to synchronize the visiting client for registration. In

proxy Mobile IP, the visiting clients are not synchronized to their home agents because the access point

intercepts all home agent messages. If the timestamp in the first registration request is out of the

tolerance window (± 7 seconds), the request is rejected. The access point uses the information from the

rejection to create a valid value and resends the registration request.

The Proxy Mobile IP Setup Page

This section describes the Proxy Mobile IP Setup page and the links it provides to other pages you use

to set up proxy Mobile IP on your access point. Figure 6-5 shows the Proxy Mobile IP Setup page.