Host Identity Protocol Pekka Nikander Ericsson Research Nomadiclab and Helsinki Institute for Information Technology

Slides:



Advertisements
Similar presentations
Approaches to Multi-Homing for IPv6 An Architectural View of IPv6 MultiHoming proposals Geoff Huston 2004.
Advertisements

Keiji Maekawa Graduate School of Informatics, Kyoto University Yasuo Okabe Academic Center for Computing and Media Studies, Kyoto University.
Using HIP to solve MULTI-HOMING IN IPv6 networks YUAN Zhangyi Beijing University of Posts and Telecommunications.
Internet Area IPv6 Multi-Addressing, Locators and Paths.
Why do current IP semantics cause scaling issues? −Today, “addressing follows topology,” which limits route aggregation compactness −Overloaded IP address.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
IPv4 and IPv6 Mobility Support Using MPLS and MP-BGP draft-berzin-malis-mpls-mobility-00 Oleg Berzin, Andy Malis {oleg.berzin,
T Special Course in Data Communication Software Mobility in the Internet Prof. Sasu Tarkoma.
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
1/32 Internet Architecture Lukas Banach Tutors: Holger Karl Christian Dannewitz Monday C. Today I³SI³HIPHI³.
Internet Indirection Infrastructure Ion Stoica and many others… UC Berkeley.
Internet Indirection Infrastructure Ion Stoica UC Berkeley.
CS 268: Project Suggestions Ion Stoica February 6, 2003.
Internet Protocol Security (IPSec)
K. Salah1 Security Protocols in the Internet IPSec.
Internet Indirection Infrastructure (i3) Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, Sonesh Surana UC Berkeley SIGCOMM 2002.
Towards a New Naming Architectures
Issues of HIP in an Operators Network Nick Papadoglou Thomas Dietz.
Host Identity Protocol
Slide 1, Dr. Wolfgang Böhm, Mobile Internet, © Siemens AG 2001 Dr. Wolfgang Böhm Siemens AG, Mobile Internet Dr. Wolfgang.
Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.
1 Chapter06 Mobile IP. 2 Outline What is the problem at the routing layer when Internet hosts move?! Can the problem be solved? What is the standard solution?
Host Mobility for IP Networks CSCI 6704 Group Presentation presented by Ye Liang, ChongZhi Wang, XueHai Wang March 13, 2004.
Host Identity Protocol
An ID/locator split architecture for future networks Ved P. Kafle, Hideki Otsuki, and Masugi Inoue, National Institute of Information and Communications.
Re-thinking Security in Network Mobility Jukka Ylitalo Ericsson Research NomadicLab NDSS '05 Workshop - February 2.
IETF82, TAIWAN Meilian LU, Xiangyang GONG, Wendong WANG
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
1 November 2006 in Dagstuhl, Germany
Karlstad University IP security Ge Zhang
SHIM6 Protocol Drafts Overview Geoff Huston, Marcelo Bagnulo, Erik Nordmark.
Problems in using HIP for P2PSIP Philip Matthews Avaya
Review of HIPRG status at IAB breakfast Andrei Gurtov Tom Henderson
Multimedia & Mobile Communications Lab.
Lectu re 1 Recap: “Operational” view of Internet r Internet: “network of networks” m Requires sending, receiving of messages r protocols control sending,
InfraHIP HIIT ARU Portfolio Seminar Andrei Gurtov.
HIP research group 1 HIP-RG meeting, IETF 65 March 24, 2006 Andrei Gurtov and Tom Henderson
An Update on Multihoming in IPv6 Report on IETF Activity RIPE IPv6 Working Group 22 Sept 2004 RIPE 49 Geoff Huston, APNIC.
Approaches to Multi6 An Architectural View of Multi6 proposals Geoff Huston March 2004.
HIP research group 1 HIP-RG meeting, IETF 61 November 12, 2004 Tom Henderson Pekka Nikander
Mar del Plata, Argentina, 31 Aug – 1 Sep 2009 ITU-T Kaleidoscope 2009 Innovations for Digital Inclusion Ved P. Kafle, Hideki Otsuki, and Masugi Inoue National.
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
CS 268: Project Suggestions Ion Stoica January 26, 2004.
Ασύρματες και Κινητές Επικοινωνίες Ενότητα # 10: Mobile Network Layer: Mobile IP Διδάσκων: Βασίλειος Σύρης Τμήμα: Πληροφορικής.
Things to Think About Eliot Lear IETF 59. What the document ISN’T This is not a requirements document –We did one of those already – RFC 3582 Not an architectural.
T Network Application Frameworks and XML Summary and Conclusions Sasu Tarkoma.
Site Multihoming for IPv6 Brian Carpenter IBM TERENA Networking Conference, Poznan, 2005.
HIP & MIP V 6 SECURITY Research: Security Architecture IRT Lab, Columbia University.
Moving HIP to Standards Track Robert Moskowitz ICSAlabs an Independent Div of Verizon Business Systems July 30, 2009 Slides presented.
IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.
Michael G. Williams, Jeremey Barrett 1 Intro to Mobi-D Host based mobility.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
Host Identity Protocol, PLA, and PSIRP Host Identity Protocol, PLA, and PSIRP Prof. Sasu Tarkoma Part of the material is based on lecture slides.
K. Salah1 Security Protocols in the Internet IPSec.
Securing Access to Data Using IPsec Josh Jones Cosc352.
SHIP: Performance Reference: “SHIP mobility management hybrid SIP-HIP scheme” So, J.Y.H.; Jidong Wang; Jones, D.; Sixth International Conference on
Lecture 10 Page 1 CS 236 Online Encryption and Network Security Cryptography is widely used to protect networks Relies on encryption algorithms and protocols.
Mobile IP THE 12 TH MEETING. Mobile IP  Incorporation of mobile users in the network.  Cellular system (e.g., GSM) started with mobility in mind. 
HIP-Based NAT Traversal in P2P-Environments
Internet Indirection Infrastructure (i3)
An Update on Multihoming in IPv6 Report on IETF Activity
Presentation transcript:

Host Identity Protocol Pekka Nikander Ericsson Research Nomadiclab and Helsinki Institute for Information Technology

2 Introduction: What and why? Background HIP in a Nutshell Mobility and multi-homing (multi-addressing) HIP infrastructure: Hi 3 Current status Summary Presentation outline

3 What is HIP? HIP = Host Identity Protocol A proposal to separate identifier from locator at the network layer of the TCP/IP stack A new name space of public keys A protocol for discovering and authenticating bindings between public keys and IP addresses Secured using signatures and keyed hashes

4 Motivation Not to standardise a solution to a problem No explicit problem statement Exploring the consequences of the id / loc split Try it out in real life, in the live Internet A different look at many problems Mobility, multi-homing, end-to-end security, signalling, control/data plane separation, rendezvous, NAT traversal, firewall security,...

5 Introduction: What and why? Background HIP in a Nutshell Mobility and multi-homing (multi-addressing) HIP infrastructure: Hi 3 Current status Summary Presentation outline

6 Background A brief history of HIP Architectural background Related IETF Working Groups

7 A Brief History of HIP 1999 :idea discussed briefly at the IETF 2001:two BoFs, no WG created at that time 02-03:development at the corridors 2004: WG and RG created Now:base protocol more or less ready Four interoperating implementations More work needed on mobility, multi-homing, NAT traversal, infrastructure, and other issues

8 IP addresses serve the dual role of being End-point Identifiers Names of network interfaces on hosts Locators Names of naming topological locations This duality makes many things hard Architectural background

9 New requirements to Internet Addressing Mobile hosts Need to change IP address dynamically Multi-interface hosts Have multiple independent addresses Mobile, multi-interface hosts most challenging Multiple, dynamically changing addresses More complex environment e.g. local-only connectivity

10 nsrg ID/loc split Related IETF WGs and RGs Mobility mip6 mip4 mipshop Security ipsec mobike btns multi6 tsvwg (sctp) shim6 Multi-homing hip

11 Introduction: What and why? Background HIP in a Nutshell Mobility and multi-homing (multi-addressing) HIP infrastructure: Hi 3 Current status Summary Presentation outline

12 HIP in a Nutshell Architectural change to TCP/IP structure Integrates security, mobility, and multi- homing Opportunistic host-to-host IPsec ESP End-host mobility, across IPv4 and IPv6 End-host multi-address multi-homing, IPv4/v6 IPv4 / v6 interoperability for apps A new layer between IP and transport Introduces cryptographic Host Identifiers

13 IP addr A new Name Space of Host Identifiers (HI) Public crypto keys! Presented as 128-bit long hash values, Host ID Tags (HIT) Sockets bound to HIs, not to IP addresses HIs translated to IP addresses in the kernel The Idea ProcessProcess TransportTransport IP layer Link layer IP address Host Identity Host ID

14 An analogy: What if people were hosts Connect to whoever happens to be at Connect to Current IPHIP

15 IP layer Fragmentation More detailed layering Link Layer ForwardingForwarding IPsec Transport Layer End-to-end, HITs Hop-by-hop, IP addresses HIP MobilityMobility Multi-homingMulti-homing v4/v6 bridge

16 Protocol overview Initiator Responder I1: HIT I, HIT R or NULL R1: HIT I, [HIT R, puzzle, DH R, HI R ] sig I2: [HIT I, HIT R, solution, DH I, {HI I }] sig R2: [HIT I, HIT R, authenticator] sig User data messages Control Data

17 Base exchange InitiatorResponder I1HIT I, HIT R or NULL R1HIT I, [HIT R, puzzle, DH R, HI R ] sig I2[HIT I, HIT R, solution, DH I,{HI I }] sig R2[HIT I, HIT R, authenticator] sig ESP protected TCP/UDP, no explicit HIP header User data messages solve puzzle verify, authenticate, replay protection draft-ietf-hip-base-02.txt, draft-jokela-hip-esp-00.txt Based on SIGMA family of key exchange protocols

Other core components Per-packet identity context Indirectly, through SPI if ESP (or SRTP) is used Directly, e.g., through an explicit shim header A mechanism for resolving identities to addresses DNS-based, if FQDNs used by applications Or distributed hash tables (DHTs) based

19 How applications work today (when IPsec ESP is used) IKE Server app socket API IPsec SAD IPsec SAD IPsec SPD IPsec SPD IPsec SPD IPsec SPD IPsec SAD IPsec SAD connect(IP S ) TCP SYN to IP S DNS query ESP protected TCP SYN to IPaddr S TCP SYN from IP C DNS server DNS reply Client app IP DNS library DNS library

20 One way to implement HIP HIP daemon Server app socket API IPsec SAD IPsec SAD IPsec SPD IPsec SPD IPsec SPD IPsec SPD IPsec SAD IPsec SAD TCP SYN to HIT S DNS query ESP protected TCP SYN to IPaddr S convert HITs to IP addresses convert IP addresses to HITs TCP SYN from HIT C DNS server DNS reply Client app HIT DNS library DNS library HIT > {IP addresses} connect(HIT S )

21 Using HIP with ESP HIP daemon Server app socket API IPsec SAD IPsec SAD IPsec SPD IPsec SPD IPsec SPD IPsec SPD IPsec SAD IPsec SAD TCP SYN to HIT S DNS query ESP protected TCP SYN to IPaddr S convert HITs to IP addresses convert IP addresses to HITs TCP SYN from HIT C DNS server DNS reply Client app HIT DNS library DNS library HIT > {IP addresses} connect(HIT S )

22 Many faces More established views: A different IKE for simplified end-to-end ESP Super Mobile IP with v4/v6 interoperability and dynamic home agents A host multi-homing solution Newer views: New waist of IP stack; universal connectivity Secure carrier for signalling protocols

23 HIP as the new waist of TCP/IP v4 app TCPv4 IPv4 Link layer TCPv6 IPv6 v6 appv4 app TCPv4 IPv4 Link layer TCPv6 IPv6 v6 app Host identity

24 HIP for universal connectivity Goal: Lowest layer providing location- independent identifiers and end-to-end connectivity Work in progress: Support for traversing legacy NATs Firewall registration and authentication Architected middleboxes or layer 3.5 routing Identity-based connectivity with DHTs

25 Signalling carrier Originally HIP supported only ESP-based user data transport (previous slides) ESP is now being split from the base protocol Base protocol is becoming a secure carrier for any kinds of signalling Support for separate signalling and data paths Implicitly present in the original design Now being made more explicit

26 Faces summary: Motivating architectural factors A “reachability” solution across NATs New “waist” for the protocol stack Built-in security Implicit channel bindings connect(HIT) provides a secured connection to the identified host Puzzle-based DoS protection Integrated mobility and end-host multi-homing

27 Introduction: What and why? Background HIP in a Nutshell Mobility and multi-homing (multi-addressing) HIP infrastructure: Hi 3 Current status Summary Presentation outline

28 Introduction to IP based mobility and multi-homing Mobility implemented at “lP layer” IP addresses are assigned according to topology Allows for routing prefix aggregation Mobile hosts change their topological location Multi-homed hosts present at many locations In an IP based m&m solution Transport & apps do not see address changes or multiple addresses

29 Rendezvous Initial rendezvous How to find a moving end-point? Can be based on directories Requires fast directory updates → Bad match for DNS Tackling double-jump What if both hosts move at same time? Requires rendezvous point

30 Mobile IP Home Agent (HA) Serves a Home Address Initial reachability Triangular routing Route optimization Tunnels to bypass HA HA as rendezvous point HA MN CN

31 Two types of IP multi-homing / /24 Multi-addressing /24 Routing based

32 Multi-addressing dimensions One host Single subnet Parts of topology All hosts end-host multihoming end-host mobility Moving networks (NEMO) moving, multi-homed networks Multi- homing Mobility SoHo site multihoming enterprise multihoming ad hoc networks

33 Mobility and multi-homing become duals of each other Mobile host has many addresses over time Multi-homed host has many addresses at the same time Leads to a Virtual Interface Model A host may have real and virtual interfaces Merges the “Home Agent” HIP Mobility & Multi-homing

34 ESP from MN to CN Mobility protocol Mobile Corresponding UPDATE: HITs, new locator(s), sig UPDATE: HITs, RR challenge, sig ESP on both directions UPDATE: HITs, RR response, sig

35 Introduction: What and why? Background HIP in a Nutshell Mobility and multi-homing (multi-addressing) HIP infrastructure: Hi 3 Current status Summary Presentation outline

36 Depends on application For multi-addressing, self-generated keys Usually keys in the DNS Can use PKI if needed Opportunistic mode supported SSH-like leap-of-faith Accept a new key if it matches a fingerprint Key distribution for HIP DNS server Client app DNS query: A, AAAA, KEY DNS reply: A, AAAA, KEY

37 Basic HIP rendezvous Rendezvous server Server Client Rendezvous registration I1 R1 I2 R2

38 HIP registration protocol ClientServer I1 R1 + REG_INFO I2 + REG_REQUEST R2 + REG_RESPONSE

39 HIs originally planned to be stored in the DNS Retrieved simultaneously with IP addresses Does not work if you have only a HIT Question: How to get data based on HIT only? HITs look like 128-bit random numbers Possible answer: DHT based overlay like i 3 The infrastructure question

40 Distributed Hash Tables Distributed directory for flat data Several different ways to implement Each server maintains a partial map Overlay addresses to direct to the right server Resilience through parallel, unrelated mappings Used to create overlay networks

41 i 3 rendezvous abstraction Trigger inserted by receiver(s) Packets addressed to identifiers i 3 routes packet to the receiver(s) Sender Receiver (R) IDR trigger send(ID, data) send(R, data)

42 Hi 3 : combining HIP and i3 Developed at Ericsson Research IP Networks Uses i 3 overlay for HIP control packets Provides rendezvous for HIP Data packets use plain old IP Cryptographically protected with ESP Only soft or optional state in the network

43 H i 3 and DHT-based rendezvous i 3 overlay based control plane IP-based user plane

44 Control/data separation IDR i 3 overlay based rendezvous infra

45 Hi 3 overlay and IPsec connectivity i 3 overlay for signalling (control plane) Routes only HIP control packets e2e ESP for data traffic (user plane) Firewalls/middle boxes opened dynamically Only end-to-end signalling (HIP) Middle boxes “snoop” e2e messages Lots of details to be filled in

46 An Internet control plane? HIP separates control and data traffic Hi 3 routes control traffic through overlay Control and data packets take potentially very different paths Allows telecom-like control … … but does not require it

47 Benefits for everyone Operators Control, security, resilience, revenue Enterprises Security, resilience, mobility Individual users Security, mobility, ease of use

48 Benefits to operators More controlled network Data requires HIP handshake first Protection against DoS and DDoS Resilience Integrated multi-homing No single points of failure

49 Benefits to enterprises More secure firewalls Integrated mobility and multi-access Across IPv4 and IPv6 No single points of failure

50 Benefits to users DoS and DDoS protection Supports home servers (NAT traversal) Configuration free baseline security (ssh-like leap-of-faith encryption

51 Introduction: What and why? Background HIP in a Nutshell Mobility and multi-homing (multi-addressing) HIP infrastructure: Hi 3 Current status Summary Presentation outline

52 Current status WG and RG formed at the IETF / IRTF First meetings in Seoul, March 2004 Four known interoperating implementations A number of internet drafts Base specifications start to be mature About a dozen papers published or submitted

53 Implementation status Four interoperating implementations Ericsson Research Nomadiclab, FreeBSD Helsinki Institute for Information Tech., Linux Boeing Phantom Works, Linux and Windows Sun Labs Grenoble, Solaris Other implementations Indranet (obsolete), DoCoMo US Labs, rumours about other

54 Evolution of drafts: Early era

55 Evolution of drafts: Restart

56 Evolution of drafts: Currently 11 Architecture Base exchange Mobility & multi-homing DNS Rendezvous Registration

57 Introduction: What and why? Background HIP in a Nutshell Mobility and multi-homing (multi-addressing) HIP infrastructure: Hi 3 Current status Summary Presentation outline

58 New cryptographic name space IP hosts identified with public keys Integrates security, mobility, multi-homing Evolving into a more generic signalling carrier Four interoperating implementations (total 7?) Base specifications start to be mature Summary

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.