Presentation is loading. Please wait.

Presentation is loading. Please wait.

Moving HIP to Standards Track Robert Moskowitz ICSAlabs an Independent Div of Verizon Business Systems July 30, 2009 Slides presented.

Similar presentations


Presentation on theme: "Moving HIP to Standards Track Robert Moskowitz ICSAlabs an Independent Div of Verizon Business Systems July 30, 2009 Slides presented."— Presentation transcript:

1 Moving HIP to Standards Track Robert Moskowitz ICSAlabs an Independent Div of Verizon Business Systems July 30, 2009 rgm@labs.htt-consult.com Slides presented (and slightly updated) by Petri Jokela Ericsson Research, Nomadiclab

2 Items to Discuss Crypto Agility HIT & LSI Derivation Multiple Identities per Host ESP mode HIP without IP Payload Compression Responder Description and DNS HITs as ACLs

3 Crypto Agility Originally HIP was envisioned as 'Simple' − Crypto events have outstripped that World View HI Algorithms − Add ECC HITs − More Hashing functions − Provided with HI, not negotiated ESP cipher suites − e.g. CCM (Counter with CBC-MAC), GCM (Galois/Counter Mode)

4 HIT & LSI Derivation Continue to use ORCHIDs? − Add Options? Can the HIT imply the PK/Hash algorithms? − Advance ID to RFC LSI space size − 2^24 or 2^16? − 127.n.x.x -> “more than enough” for one host − IANA allocation?

5 Multiple Identities per Host HIP 'forced' to be an Identity for an IP stack. No conceptual reason that any Object or process on a Host has a unique ID − And thus HI Need a consistent mechanism to associate a HI to one or more processes − Maybe it is already there. Relax the requirement of “one HI per host” on the Architecture RFC

6 ESP Mode Do we really need BEET? − Must clearly delineate why NOT Transport or Tunnel − Actual demonstration of what goes wrong without BEET? − Advance ID to RFC (Informational?)

7 HIP without IP Local net may be Layer 2 only HIP & ESP over Ethernet − IEEE 802.15.1 (Bluetooth)‏ − IEEE 802.15.4 (Sensor Nets)‏ Current datagram limited to 127 bytes − See 6LOWPAN 802.15.4g MAY increase this for Smart Utility Networks − IEEE 802.15.6 (Medical Body Nets)‏ Different proposed MACs with different max size

8 Payload Compression ESP Authentication is 'stronger' than TCP and UDP checksums Low Bandwidth Networks already 'suffering' from ESP Authentication overhead Prior to insertion in ESP, remove checksum While removing ESP wrapper, compute and add checksum Should be the default mode of operation

9 Responder Description HI, Hash used, HIT − Can there be multiple HITs? One per 'allowed' hash HIT hash algorithm information in DNS − Should HITs even be included? Expected to generate from HI and Hash − HI lifetime (in DNS) – Implicit Revocation HI Hashes accepted − No negotiation. Use or go away ESP cipher suites accepted − Same DNS RR needs an IANA permanent assignment

10 HITs as ACLs Is the HIT sufficient or is the Hash needed as well? What works for SSH?

11 11 Other Various implementation experience details, such as: − MTU and packet fragmentation issues − Middleboxes: Signaling proxies / Mobile router Overlay networking − Protocol and extensions: 8-way handshake for small MTUs 11

12 12 Schedule Current RFCs − Architecture RFC 4423 − Base HIP RFC 5201 − ESP Transport format RFC 5202 − HIP Registration ext RFC 5203 − HIP Rendezvous ext RFC 5204 − HIP DNS ext RFC 5205 − End-host mobility and multihoming RFC 5206 − HIP & legacy applications RFC 5338 Updated versions out before IETF 76 WG Last Call before IETF 77 12

13 Questions?


Download ppt "Moving HIP to Standards Track Robert Moskowitz ICSAlabs an Independent Div of Verizon Business Systems July 30, 2009 Slides presented."

Similar presentations


Ads by Google