Host Identity Protocol

Slides:

Advertisements

Similar presentations

1 An Update on Multihoming in IPv6 Report on IETF Activity IPv6 Technical SIG 1 Sept 2004 APNIC18, Nadi, Fiji Geoff Huston.

Advertisements

Using HIP to solve MULTI-HOMING IN IPv6 networks YUAN Zhangyi Beijing University of Posts and Telecommunications.

© Antônio M. Alberti 2011 Host Identification and Location Decoupling: A Comparison of Approaches Bruno Magalhães Martins Antônio Marcos Alberti.

Secure Mobile IP Communication

IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.

IPv6 – IPv4 Network Address, Port & Protocol Translation & Multithreaded DNS Gateway Navpreet Singh, Abhinav Singh, Udit Gupta, Vinay Bajpai, Toshu Malhotra.

1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.

1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.

IP Version 6 Next generation IP Prof. P Venkataram ECE Dept. IISc.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

IPv6 Multihoming Support in the Mobile Internet Presented by Paul Swenson CMSC 681, Fall 2007 Article by M. Bagnulo et. al. and published in the October.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

1/32 Internet Architecture Lukas Banach Tutors: Holger Karl Christian Dannewitz Monday C. Today I³SI³HIPHI³.

COM555: Mobile Technologies Location-Identifier Separation.

Submission hip Slide 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Bootstrapping.

CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.

Towards a New Naming Architectures

1 Introduction on the Architecture of End to End Multihoming Masataka Ohta Tokyo Institute of Technology

 It defines the format of the frame to be exchanged between devices.  It defines how two devices can negotiate the establishment of the link and the.

Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.

Host Mobility for IP Networks CSCI 6704 Group Presentation presented by Ye Liang, ChongZhi Wang, XueHai Wang March 13, 2004.

Overview of SHIM6 Multihoming Protocol Fuad Bin Naser Std. No A presentation for CSE6806: Wireless & Mobile Communication Networks.

Host Identity Protocol Pekka Nikander Ericsson Research Nomadiclab and Helsinki Institute for Information Technology

SOCKS Group: Challenger Member: Lichun Zhan. Agenda Introduction SOCKS v4 SOCKS v5 Summary Conclusion References Questions.

Host Identity Protocol

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Implementing IP Addressing Services Accessing the WAN – Chapter 7.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public BSCI Module 8 Lessons 1 and 2 1 BSCI Module 8 Lessons 1 and 2 Introducing IPv6 and Defining.

Secure Socket Layer (SSL)

Internet Security - Farkas1 CSCE 813 Midterm Topics Overview.

An ID/locator split architecture for future networks Ved P. Kafle, Hideki Otsuki, and Masugi Inoue, National Institute of Information and Communications.

1 Lecture 14: Real-Time Communication Security real-time communication – two parties interact in real time (as opposed to delayed communication like )

Naming Examples UUID (universal unique ID) – 128 bit numbers, locally generated, guaranteed globally unique Uniform Resource Identifier (URI) URL (uniform.

Re-thinking Security in Network Mobility Jukka Ylitalo Ericsson Research NomadicLab NDSS '05 Workshop - February 2.

IETF82, TAIWAN Meilian LU, Xiangyang GONG, Wendong WANG

Web Security : Secure Socket Layer Secure Electronic Transaction.

IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.

1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.

Problems in using HIP for P2PSIP Philip Matthews Avaya

An Update on Multihoming in IPv6 Report on IETF Activity RIPE IPv6 Working Group 22 Sept 2004 RIPE 49 Geoff Huston, APNIC.

Approaches to Multi6 An Architectural View of Multi6 proposals Geoff Huston March 2004.

Mar del Plata, Argentina, 31 Aug – 1 Sep 2009 ITU-T Kaleidoscope 2009 Innovations for Digital Inclusion Ved P. Kafle, Hideki Otsuki, and Masugi Inoue National.

IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.

Ασύρματες και Κινητές Επικοινωνίες Ενότητα # 10: Mobile Network Layer: Mobile IP Διδάσκων: Βασίλειος Σύρης Τμήμα: Πληροφορικής.

By Mau, Morgan Arora, Pankaj Desai, Kiran.  Large address space  Briefing on IPsec  IPsec implementation  IPsec operational modes  Authentication.

Internet Security CSCE 813 IPsec. CSCE813 - Farkas2 TCP/IP Protocol Stack Application Layer Transport Layer Network Layer Data Link Layer.

HIP & MIP V 6 SECURITY Research: Security Architecture IRT Lab, Columbia University.

Moving HIP to Standards Track Robert Moskowitz ICSAlabs an Independent Div of Verizon Business Systems July 30, 2009 Slides presented.

IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

Host Identity Protocol, PLA, and PSIRP Host Identity Protocol, PLA, and PSIRP Prof. Sasu Tarkoma Part of the material is based on lecture slides.

K. Salah1 Security Protocols in the Internet IPSec.

Computer Science and Engineering Computer System Security CSE 5339/7339 Session 27 November 23, 2004.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

Cryptography CSS 329 Lecture 13:SSL.

SHIP: Performance Reference: “SHIP mobility management hybrid SIP-HIP scheme” So, J.Y.H.; Jidong Wang; Jones, D.; Sixth International Conference on

COM594: Mobile Technologies Location-Identifier Separation.

HIP-Based NAT Traversal in P2P-Environments

Establishing Host Identity Protocol Opportunistic Mode with TCP Option

VPNs & IPsec Dr. X Slides adopted by Prof. William Enck, NCSU.

Zueyong Zhu† and J. William Atwood‡

IT443 – Network Security Administration Instructor: Bo Sheng

An Update on Multihoming in IPv6 Report on IETF Activity

Presentation transcript:

Host Identity Protocol

What is HIP A multi-addressing and mobility solution for the Internet Also a security protocol for authentication and encryption Add a new layer to separate transport and network layers The new layers maps host identifiers to network address and vice versa

History •1999 : Idea discussed briefly at the IETF •2001: Two BoFs, no WG created at that time •02-03: development at the corridors •2004: WG and RG created • 2007 : first stable version

HIP Developed at IETF since 1999, first stable version in 2007 Inserts cryptographic namespace between Transport and Network Layer No changes needed in applications or routers (changes reside in network stack of host) Provides much more features than LISP Aims for security, mobility, multi-homing Host Identity Protocol Review paper by Pekka Nikander et al

Achievements Mobility Multi-Homing Security NAT / IPv4 / IPv6 traversals

Host Identify Tag (HIT) A public key is used to identify an end-host A 128-bit host identify tag (HIT) is used for system call HIT is a hash on public key and has a global scope A 32-bit local scope identifier (LSI) is used for IPv4 compatibility

WHY To overcome the shortcoming of existing Internet, namely The dual role of IP as both host identifier and locator The lack of security with IP To make end-host mobility and multi-homing very easy to implement

How it works HIP introduces host identity layer between transport and network layers HIP uses base exchange to perform authentication and establish session keys before communication. Communication data are protected using IPsec ESP HIP provides a readdressing mechanism to support IP changes with mobility and multi-homing

Architecture

Architecture Transport layer communication is bound to host identity instead of IP The binding between host identity and IP is dynamic and can have a one-to-many relationship A host layer protocol is developed to make HIP work

Host Layer Protocol A signal protocol between the communicating end-points Perform mutual end-to-end authentication It creates IPsec ESP Security Associations for integrity protection and encryption Perform reachability verification Consists of 7 message types, four of which are dedicated to the base exchange

More detailed layering Transport Layer End-to-end, HITs IP layer Mobility Multi-homing v4/v6 bridge IPsec HIP Fragmentation Forwarding Hop-by-hop, IP addresses Link Layer

Protocol overview I1: HITI, HITR or NULL Initiator Responder I1: HITI, HITR or NULL Control R1: HITI, [HITR, puzzle, DHR, HIR]sig I2: [HITI, HITR, solution, DHI, {HII}]sig R2: [HITI, HITR, authenticator]sig User data messages Data

Base Exchange

Base Exchange Step 1: Initiator (I) sends the first I1 packet, which contains own HIT and the HIT of the responder to the responder (R) Step 2: R relies with message R1, which contains the HITs of I and itself as well as a puzzle based challenge for I to solve Step 3: I solves the puzzle and sends in I2 the HITs of itself and R as well as the solution to the puzzle, and performs the authentication Step 4: R now commits itself to the communication, and respond with HITs of I and itself, and performs the authentication. After this, I and R have performed the mutual authentication and established Security Associations for ESP

Mobility with HIP HIP provides dynamic binding between a Host ID and IP addresses. A mobile node sends REA (readdressing) package to its peer to inform the change of address The peer verifies the reachbility of the mobile node with the new address

Mobility with HIP

Multi-homing A host can have multiple network interfaces

Multihoming with HIP HIP provides one-to-many binding between a Host ID and IP A multi-homing can send a series of available address to its peer and designate a preferred address The peer host can choose communication address in case failover or based on load balance consideration An update message is enough to make it work

Multihoming with HIP

Implementation Involves kernel level programming since the host layer protocol works under the transport layer Only base exchange is implemented in a HIPL project HIP is implemented as a kernel module, which uses a user space daemon for cryptographic operations

Using HIP with ESP DNS server Client app Server app HIP daemon HIT DNS query DNS server Client app DNS library Server app DNS reply connect(HITS) HIT ----- > {IP addresses} HIP daemon HIP daemon socket API socket API TCP SYN to HITS TCP SYN from HITC IPsec SPD IPsec SAD ESP protected TCP SYN to IPaddrS IPsec SAD IPsec SPD convert HITs to IP addresses convert IP addresses to HITs

HIP as the new waist of TCP/IP v4 app v6 app v4 app v6 app TCPv4 TCPv6 TCPv4 TCPv6 Host identity IPv4 IPv6 IPv4 IPv6 Link layer Link layer

Conclusion HIP adds a layer between the transport and the network layers, thus separate the dual role of IP as both host identifier and locator HIP supports IP change over time with ease and without disrupting communications HIP provides strong endpoint authentication and communication encryption.

Thanks