Upload
melvyn-ferguson
View
223
Download
0
Tags:
Embed Size (px)
Citation preview
HOST IDENTITY PROTOCOL
1
What is HIP● A multi-addressing and mobility solution for
the Internet● Also a security protocol for authentication and
encryption● Add a new layer to separate transport and
network layers● The new layers maps host identifiers to network
address and vice versa
2
History•1999 : Idea discussed briefly at the IETF
•2001: Two BoFs, no WG created at that time
•02-03: development at the corridors
•2004: WG and RG created
• 2007 : first stable version
3
Achievements Mobility Multi-Homing Security NAT / IPv4 / IPv6 traversals
5
Host Identify Tag (HIT)● A public key is used to identify an end-host● A 128-bit host identify tag (HIT) is used for
system call● HIT is a hash on public key and has a global
scope● A 32-bit local scope identifier (LSI) is used for
IPv4 compatibility
6
WHY● To overcome the shortcoming of existing
Internet, namely
○ The dual role of IP as both host identifier and locator
○ The lack of security with IP
● To make end-host mobility and multi-homing very easy to implement
7
How it works● HIP introduces host identity layer between
transport and network layers● HIP uses base exchange to perform
authentication and establish session keys before communication.
● Communication data are protected using IPsec ESP
● HIP provides a readdressing mechanism to support IP changes with mobility and multi-homing
8
Architecture
9
Architecture● Transport layer communication is bound to host
identity instead of IP● The binding between host identity and IP is
dynamic and can have a one-to-many relationship
● A host layer protocol is developed to make HIP work
10
Host Layer Protocol
● A signal protocol between the communicating end-points
● Perform mutual end-to-end authentication● It creates IPsec ESP Security Associations for
integrity protection and encryption● Perform reachability verification● Consists of 7 message types, four of which are
dedicated to the base exchange
11
Protocol overviewInitiator Responder
I1: HITI, HIT
R or NULL
R1: HITI, [HIT
R, puzzle, DH
R, HI
R]sig
I2: [HITI, HIT
R, solution, DH
I, {HI
I}]
sigR2: [HIT
I, HIT
R, authenticator]
sigUser data messagesUser data messages
Con
trol
Con
trol
Dat
aD
ata
13
Base Exchange● Step 1: Initiator (I) sends the first I1 packet, which contains own
HIT and the HIT of the responder to the responder (R)
● Step 2: R relies with message R1, which contains the HITs of I and itself as well as a puzzle based challenge for I to solve
● Step 3: I solves the puzzle and sends in I2 the HITs of itself and R as well as the solution to the puzzle, and performs the authentication
● Step 4: R now commits itself to the communication, and respond with HITs of I and itself, and performs the authentication.
● After this, I and R have performed the mutual authentication and established Security Associations for ESP 15
Mobility with HIP● HIP provides dynamic binding between a Host ID
and IP addresses.
● A mobile node sends REA (readdressing) package to its peer to inform the change of address
● The peer verifies the reachbility of the mobile node with the new address
16
Mobility with HIP
17
Multi-homing
A host can have multiple network interfaces
18
Multihoming with HIP● HIP provides one-to-many binding between a
Host ID and IP● A multi-homing can send a series of available
address to its peer and designate a preferred address
● The peer host can choose communication address in case failover or based on load balance consideration
● An update message is enough to make it work
19
Multihoming with HIP
20
Implementation● Involves kernel level programming since the host
layer protocol works under the transport layer● Only base exchange is implemented in a HIPL
project● HIP is implemented as a kernel module, which
uses a user space daemon for cryptographic operations
21
Using HIP with ESP
HIP daemon HIP daemonHIP daemon
Server appServer app
socket APIsocket API socket APIsocket API
IPsecSADIPsecSAD
IPsecSPDIPsecSPD
IPsecSPDIPsecSPD
IPsecSADIPsecSAD
TCP SYN
to HITS
DNS query
ESP protected TCP SYN
to IPaddrS
convert HITs to IP addresses convert IP addresses to HITs
TCP SYN
from HITC
DNS serverDNS serverDNS replyClient appClient app
HITDNS libraryDNS library
HIT ----- > {IP addresses}connect(HIT
S)
22
HIP as the new waist of TCP/IP
v4 app
TCPv4
IPv4
Link layer
TCPv6
IPv6
v6 app v4 app
TCPv4
IPv4
Link layer
TCPv6
IPv6
v6 app
Host identity Host identity
23
Thanks
25