HOST IDENTITY PROTOCOL

1

What is HIP● A multi-addressing and mobility solution for

the Internet● Also a security protocol for authentication and

encryption● Add a new layer to separate transport and

network layers● The new layers maps host identifiers to network

address and vice versa

2

History•1999 : Idea discussed briefly at the IETF

•2001: Two BoFs, no WG created at that time

•02-03: development at the corridors

•2004: WG and RG created

• 2007 : first stable version

3

Achievements Mobility Multi-Homing Security NAT / IPv4 / IPv6 traversals

5

Host Identify Tag (HIT)● A public key is used to identify an end-host● A 128-bit host identify tag (HIT) is used for

system call● HIT is a hash on public key and has a global

scope● A 32-bit local scope identifier (LSI) is used for

IPv4 compatibility

6

WHY● To overcome the shortcoming of existing

Internet, namely

○ The dual role of IP as both host identifier and locator

○ The lack of security with IP

● To make end-host mobility and multi-homing very easy to implement

7

How it works● HIP introduces host identity layer between

transport and network layers● HIP uses base exchange to perform

authentication and establish session keys before communication.

● Communication data are protected using IPsec ESP

● HIP provides a readdressing mechanism to support IP changes with mobility and multi-homing

8

Architecture

9

Architecture● Transport layer communication is bound to host

identity instead of IP● The binding between host identity and IP is

dynamic and can have a one-to-many relationship

● A host layer protocol is developed to make HIP work

10

Host Layer Protocol

● A signal protocol between the communicating end-points

● Perform mutual end-to-end authentication● It creates IPsec ESP Security Associations for

integrity protection and encryption● Perform reachability verification● Consists of 7 message types, four of which are

dedicated to the base exchange

11

Protocol overviewInitiator Responder

I1: HITI, HIT

R or NULL

R1: HITI, [HIT

R, puzzle, DH

R, HI

R]sig

I2: [HITI, HIT

R, solution, DH

I, {HI

I}]

sigR2: [HIT

I, HIT

R, authenticator]

sigUser data messagesUser data messages

Con

trol

Con

trol

Dat

aD

ata

13

Base Exchange● Step 1: Initiator (I) sends the first I1 packet, which contains own

HIT and the HIT of the responder to the responder (R)

● Step 2: R relies with message R1, which contains the HITs of I and itself as well as a puzzle based challenge for I to solve

● Step 3: I solves the puzzle and sends in I2 the HITs of itself and R as well as the solution to the puzzle, and performs the authentication

● Step 4: R now commits itself to the communication, and respond with HITs of I and itself, and performs the authentication.

● After this, I and R have performed the mutual authentication and established Security Associations for ESP 15

Mobility with HIP● HIP provides dynamic binding between a Host ID

and IP addresses.

● A mobile node sends REA (readdressing) package to its peer to inform the change of address

● The peer verifies the reachbility of the mobile node with the new address

16

Mobility with HIP

17

Multi-homing

A host can have multiple network interfaces

18

Multihoming with HIP● HIP provides one-to-many binding between a

Host ID and IP● A multi-homing can send a series of available

address to its peer and designate a preferred address

● The peer host can choose communication address in case failover or based on load balance consideration

● An update message is enough to make it work

19

Multihoming with HIP

20

Implementation● Involves kernel level programming since the host

layer protocol works under the transport layer● Only base exchange is implemented in a HIPL

project● HIP is implemented as a kernel module, which

uses a user space daemon for cryptographic operations

21

Using HIP with ESP

HIP daemon HIP daemonHIP daemon

Server appServer app

socket APIsocket API socket APIsocket API

IPsecSADIPsecSAD

IPsecSPDIPsecSPD

IPsecSPDIPsecSPD

IPsecSADIPsecSAD

TCP SYN

to HITS

DNS query

ESP protected TCP SYN

to IPaddrS

convert HITs to IP addresses convert IP addresses to HITs

TCP SYN

from HITC

DNS serverDNS serverDNS replyClient appClient app

HITDNS libraryDNS library

HIT ----- >  {IP addresses}connect(HIT

S)

22

HIP as the new waist of TCP/IP

v4 app

TCPv4

IPv4

Link layer

TCPv6

IPv6

v6 app v4 app

TCPv4

IPv4

Link layer

TCPv6

IPv6

v6 app

Host identity Host identity

23

Thanks

25