When a mobile node enters a non-local subnet, it requests the services of a foreign agent, to obtain a connection to its home subnet. This connection is established through the mobile node's home host or router, called a home agent. An initial protocol is used to register the mobile node's location with its home agent. It is necessary, even if further communications require no security, that control messages between a mobile node and a home agent that are used for mobile registration be authenticated . Therefore, as a minimum requirement, a mobile node and home agent must share the basic information needed for a security association to support authentication during registration.
After registration, the next step in adding security features to a mobile environment consists of grafting security mechanisms that are currently proposed for use on the Internet. Specifically, additional IP layer headers are used to supply confidentiality and authentication over datagrams through binding security to routes. A mobile node that is ``abroad'' can be viewed as creating an extension of a local secure enclave. The mobile node and home agent, by definition, belong to one administrative/security domain.