The Mobile IPv6 specification defines a protocol, called Route Optimization, allowing a roaming Mobile Node to update its routing with an arbitrary IPv6 node, the Correspondent Node, when the Mobile Node hands over to a new subnet. The Mobile Node performs Route Optimization by sending a Binding Update message to the Correspondent Node, including its new routing address. In order to prevent various types of attacks, the Correspondent Node must be able to authenticate the Binding Update. Therefore, the Mobile Node and Correspondent Node must share a key.

The Mobile IPv6 specification defines a protocol called Return Routability that establishes a shared key between the Mobile Node and the Correspondent Node. Return Routability does not require any pre-existing security infrastructure because it depends on the presumed security of the routing infrastructure. A disadvantage is that it is subject to a low probability residual man-in-the-middle attack, and therefore it must be executed frequently to refresh the key, increasing latency in subnet handover.

In this paper, we describe a certificate-based alternative called CertBU. CertBU establishes a shared key between the Mobile Node and Correspondent Node using certified public keys, thereby eliminating the residual man-in-the-middle attack. The shared key remains valid for considerably longer, facilitating faster handover. We show how a global PKI can be avoided by using the Mobile IP Home Agent. We present an example that uses SSL to secure the key exchange and an implementation on Linux that uses OpenSSL, including performance comparisons with Return Routability.