Presentation is loading. Please wait.

Presentation is loading. Please wait.

Establishing Host Identity Protocol Opportunistic Mode with TCP Option

Published byFrank Gray Modified over 7 years ago

Similar presentations

Presentation on theme: "Establishing Host Identity Protocol Opportunistic Mode with TCP Option"— Presentation transcript:

1 Establishing Host Identity Protocol Opportunistic Mode with TCP Option
Janne Lindqvist Helsinki University of Technology (presented by Miika Komu) draft-lindqvist-hip-opportunistic-00.txt

2 Motivation for the Approach
Fallback mechanism to plain TCP if peer does not support HIP. (TCP piggybacking) According to Medina et al. arbitrary TCP options are wirely accepted in today’s Internet. draft-lindqvist-hip-opportunistic-00.txt

3 Basic Idea Include the Host Identity Tag as a TCP option to a TCP SYN segment. If peer supports HIP, the peer responses with R1. Thus, the TCP SYN with the Host Identity Tag is equivalent of an opportunistic I1. draft-lindqvist-hip-opportunistic-00.txt

4 HIP TCP Option Format 8 bits Kind field. Needs IESG Approval to assign an experimental value (RFC 3692). Used to distinguish one option from another. 8 bits Length field. Denotes the lenght of the option data. (Length = 18.) 128 bits for Host Identity Tag. draft-lindqvist-hip-opportunistic-00.txt

5 Packet Processing without piggybacking
Initiator sends TCP SYN with the HIP TCP Option. Responder replies with R1 and does not create neither HIP or TCP state. Responder thus ignores the TCP SYN. Initiator sends I2. Responder replies with R2. Initiator sends a normal TCP SYN to start TCP handshake. draft-lindqvist-hip-opportunistic-00.txt

6 Packet Processing Motivation
We could allow the Responder to send TCP SYN+ACK after the HIP base exchange, but this would mean introducing TCP state before the base exchange is completed. HIP was designed to avoid state creation before verification that the Initiator is sincere. The above approach would hinder the objective. draft-lindqvist-hip-opportunistic-00.txt

7 Next, we open a can of worms.
draft-lindqvist-hip-opportunistic-00.txt

8 Piggybacking TCP to HIP base exchange
One of the original motivators for the draft was the possibility to piggyback TCP handshake to the HIP base exchange. However, currently the approach is NOT RECOMMENDED. draft-lindqvist-hip-opportunistic-00.txt

9 HIP Piggybacking Initiator: TCP SYN with the HIP TCP OPTION
Responder: R1 concatenated with TCP SYN+ACK Initiator: I2 concatenated with TCP ACK. (TCP hanshake done) Responder: R2 and possibly concatenated TCP data. draft-lindqvist-hip-opportunistic-00.txt

10 HIP Piggybacking Problems: State creation?
We do not want to create HIP or TCP state before verification of the puzzle solution in I2. A normal TCP would be vulnerable to TCP ACK flooding if it does not create state while sending TCP SYN+ACK. (And is vulnerable to TCP SYN flooding.) However, the Responder can trust the Initiator to be sincere after the puzzle is verified and we create TCP state after TCP ACK? This should not introduce a new attack? draft-lindqvist-hip-opportunistic-00.txt

11 HIP Piggybacking Problems: Data encryption.
TCP ACK in the TCP handshake can contain data. This means that with the presented piggybacking, we would need to encrypt the TCP segment concatenated to I2. And we most likely would need to encrypt possible TCP segments concatenated to R2. draft-lindqvist-hip-opportunistic-00.txt

12 HIP Piggybacking Problems: Data encryption.
Instead of catenating a TCP segment to I2 and R2, we could have ESP(TCP). HIP control messages including ESP seems like an overkill. SPI, Sequence Number, The Payload Data, Padding, Pad Length, Next Header, Authentication Data The approach was even removed from the HIP base protocol specification. draft-lindqvist-hip-opportunistic-00.txt

13 HIP Piggybacking Problems: Processing Alternatives
Just a quick mention that the piggybacking possibility introduces interesting processing alternatives and implementation issues depending on the support status. draft-lindqvist-hip-opportunistic-00.txt

14 Security Considerations
Vulnerable to man-in-the-middle attacks because the peer’s HIT is now known before connection establishment. The fallback mechanism provides the possibility to use unencrypted TCP instead of HIP. Applications should notify users about the connection status. draft-lindqvist-hip-opportunistic-00.txt

15 What Next? Currently, it seems that we should rewrite the presented draft to motivate and cover only the non-piggybacking approach and remove the piggybacking stuff. Write a separate draft on piggybacking related issues? draft-lindqvist-hip-opportunistic-00.txt

Download ppt "Establishing Host Identity Protocol Opportunistic Mode with TCP Option"

Similar presentations

IPSec.

IPSec.
Umut Girit 200535027.  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
Establishing Host Identity Protocol Opportunistic Mode with TCP Option draft-lindqvist-hip-opportunistic-01.txt Janne.

Establishing Host Identity Protocol Opportunistic Mode with TCP Option draft-lindqvist-hip-opportunistic-01.txt Janne.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Instructor: Sam Nanavaty TCP/IP protocol. Instructor: Sam Nanavaty Version – Allows for the evolution of the protocol IHL (Internet header length) – Length.

Instructor: Sam Nanavaty TCP/IP protocol. Instructor: Sam Nanavaty Version – Allows for the evolution of the protocol IHL (Internet header length) – Length.
Hacking WLAN // BRUTE FORCE CRACKER // TCP/IP. WLAN HACK Wired Equivalent Privacy (WEP) encryption was designed to protect against casual snooping, but.

Hacking WLAN // BRUTE FORCE CRACKER // TCP/IP. WLAN HACK Wired Equivalent Privacy (WEP) encryption was designed to protect against casual snooping, but.
Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.

Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
IEEE 802.11 Wireless Local Area Networks (WLAN’s).

IEEE Wireless Local Area Networks (WLAN’s).
1 CCNA 2 v3.1 Module 10. 2 Intermediate TCP/IP CCNA 2 Module 10.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
Gursharan Singh Tatla Transport Layer 16-May-2011 1

Gursharan Singh Tatla Transport Layer 16-May
Host Identity Protocol

Host Identity Protocol
TRANSPORT LAYER T.Najah Al-Subaie Kingdom of Saudi Arabia Prince Norah bint Abdul Rahman University College of Computer Since and Information System NET331.

TRANSPORT LAYER T.Najah Al-Subaie Kingdom of Saudi Arabia Prince Norah bint Abdul Rahman University College of Computer Since and Information System NET331.
8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.

8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.
IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi
1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen

1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.

1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
Transport Layer: UDP, TCP

Transport Layer: UDP, TCP

Similar presentations

Ads by Google