Cisco Cisco IOS Software Release 12.2(15)ZL
11
Release Notes for Cisco 3200 Series Mobile Access Routers for Cisco IOS Release 12.2(15)ZL
OL-3424-01
New and Changed Information
New Software Features in Cisco IOS Release 12.2(15)ZL
The following sections list the new software features supported by Cisco IOS Release 12.2(15)ZL for
the Cisco 3200 Series Mobile Access Router.
the Cisco 3200 Series Mobile Access Router.
Dynamic CCoA
Dynamic collocated care-of address (CCoA) allows a mobile router to roam to foreign networks in which
foreign agents are not deployed. A roaming interface with CCoA attempts to find foreign agents on the
link by soliciting and listening for agent advertisements. If a foreign agent is found, the mobile router
attempts to register the foreign agent CCoA, and thereafter tries to register only the foreign agent CCoA.
If foreign agent is not found, the mobile router tries to register its CCoA and thereafter tries to register
only its CCoA.
foreign agents are not deployed. A roaming interface with CCoA attempts to find foreign agents on the
link by soliciting and listening for agent advertisements. If a foreign agent is found, the mobile router
attempts to register the foreign agent CCoA, and thereafter tries to register only the foreign agent CCoA.
If foreign agent is not found, the mobile router tries to register its CCoA and thereafter tries to register
only its CCoA.
CCoA support is essential and must be manually enabled on each roaming interface. By default, only
foreign agent CCoA processing is enabled by using the ip mobile router-service command.
foreign agent CCoA processing is enabled by using the ip mobile router-service command.
Preferred Home Agent
Home agent (HA) for the mobile router was previously pre-configured and allowed only one usable
home agent configuration. When roaming, a home agent closer to the mobile router may be preferred.
This feature will allow a home agent to be selected which is closer to the mobile router.
home agent configuration. When roaming, a home agent closer to the mobile router may be preferred.
This feature will allow a home agent to be selected which is closer to the mobile router.
The HA list is configured on the mobile router. Each HA is configured with a priority. HAs are tried,
commencing with the highest priority. If the HA explicitly denies the registration, or if the maximum
retry count is exceeded, the mobile router attempts the next highest priority HA.
commencing with the highest priority. If the HA explicitly denies the registration, or if the maximum
retry count is exceeded, the mobile router attempts the next highest priority HA.
If the lowest priority HA fails, the mobile router waits until a HA advertisement is received, and then
tries to register again starting with the highest priority HA.
tries to register again starting with the highest priority HA.
IPSec in the Mobile IP Environment
Security associations (SAs) establish trust between two devices in a peer-to-peer relationship. There are
two types of security association.
two types of security association.
The first is Internet Key Exchange (IKE), which provides negotiation, peer authentication, key
management, and key exchange. IKE provides a secure communication channel between two devices
that is used to negotiate an encryption algorithm, a hash algorithm, an authentication method, and any
relevant group information.
management, and key exchange. IKE provides a secure communication channel between two devices
that is used to negotiate an encryption algorithm, a hash algorithm, an authentication method, and any
relevant group information.
The second type of security association is IPSec Security Association (IPSec SA). Because IPSec SA is
unidirectional, it requires separate IPSec SAs be established in each direction to provide non-
repudiation, data integrity, and payload confidentiality. Non-repudiation is often necessary to verify that
a transaction has taken place, such as a financial exchange between parties. Data integrity verifies that
packets are not altered in transit by a third party. Payload confidentiality is provided by encryption.
unidirectional, it requires separate IPSec SAs be established in each direction to provide non-
repudiation, data integrity, and payload confidentiality. Non-repudiation is often necessary to verify that
a transaction has taken place, such as a financial exchange between parties. Data integrity verifies that
packets are not altered in transit by a third party. Payload confidentiality is provided by encryption.
It might be necessary to protect certain traffic on the mobile network. This is accomplished by enabling
IPSec between the mobile router and an IPSec gateway located behind the home agent. Because an IPSec
tunnel is established within the Mobile IP tunnel, IKE renegotiation is unnecessary while the mobile
router moves about. The result is a secure, scalable mobile networks that is based on standards.
IPSec between the mobile router and an IPSec gateway located behind the home agent. Because an IPSec
tunnel is established within the Mobile IP tunnel, IKE renegotiation is unnecessary while the mobile
router moves about. The result is a secure, scalable mobile networks that is based on standards.
The IPSec encryption algorithm that runs between the mobile router and the IPSec gateway can be either
Triple Data Encryption Standard (3DES) or Advanced Encryption Standard (AES). Note that AES
provides greater security than DES and is more efficient than 3DES.
Triple Data Encryption Standard (3DES) or Advanced Encryption Standard (AES). Note that AES
provides greater security than DES and is more efficient than 3DES.