23
Host Identity Protocol Vlad Balan Host Identity Protocol – p.1/23

Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed

Embed Size (px)

Citation preview

Page 1: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed

Host Identity ProtocolVlad Balan

Host Identity Protocol – p.1/23

Page 2: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed

Introduction

Current Namespaces: IP and DNSHost Identity Namespace: Host Identifiers (HI)

cryptographic in nature

public key of an asymmetric key-pair

IPsec used for actual packet transmission.

New Protocol: Host Identity Protocol, used to create the

needed IPsec Security Associations(SA) and to authenti-

cate the hosts.

Host Identity Protocol – p.2/23

Page 3: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed

Background

IP namespaces: IP and DNS

IP: 212.201.48.50namespace of the networking interfaces and the names ofthe locations (for routing)transport layers are coupled to the IP addresses

Domain Names: www.eecs.iu-bremen.de

hierarchically assigned names for some computing plat-

forms and some services

Host Identity Protocol – p.3/23

Page 4: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed

A Namespace for Computing Platforms

An independent namespace could be used across manyinternetworking layers.

A cryptographically based namespace can provideauthentification services.

It should be applied to the IP kernel(replacing the currentIP addresses)

The names should have fixed length, be possibly globally

unique.(128 bits), be flexible (created locally, delegated par-

tially for routing purposes)Host Identity Protocol – p.4/23

Page 5: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed

Host Identity Namespace

Host Identifiers (HI) are names in the Host Identitynamespace, associated to one or more IP stacks.

A third party authenticator like DNSSEC or PGP can beused for asserting the identity.

Public keys are preferred for HI: authenticate HIP packets,

protect from man-in-the-middle attacks; used in a Diffie-

Hellman exchange in HIP, also offering denial-of-service

protection.

Host Identity Protocol – p.5/23

Page 6: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed

Host Identifiers

What HIs bring new:

a decoupling of the internetworking and transportlayers

host authentification (the key can be used with IPsec)

Identities can be shared across multiple hosts.

The Host Identities are to be stored in DNS or LDAP direc-

tories and used in the HIP base exchange.

Host Identity Protocol – p.6/23

Page 7: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed

Storing Host Identifiers in DNS

Non-anonymous HIs should be stored in DNS or in various

kinds of Public Key Infrastructure, making them suitable for

other purposes than pure host identification.

Host Identity Protocol – p.7/23

Page 8: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed

Host Identity Tag

A Host Identity Tag (HIT) is a 128-bit representation of aHost Identity, created by taking a cryptographic hash overthe HI.Advantages:

fixed-size makes implementation simpler

it makes the identity consistent across variousunderlaying technologies

HITs should be unique to the IP universe, but if they collide

the HIs will make the final difference.

Host Identity Protocol – p.8/23

Page 9: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed

Local Scope Identifier

An LSI is a 32-bit localized representation of a HI, definedin order to facilitate the usage of HIs over the existing IPV4APIs.

It offers smaller size, but only local scope (otherwise colli-

sions are likely).

Host Identity Protocol – p.9/23

Page 10: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed

HIP exchange

I --> Directory: lookup R

I <-- Directory: return R’s addresses, and HI and/or HIT

I1 I --> R (Hi. Here is my I1, let’s talk HIP)

R1 I <-- R (OK. Here is my R1, handle this HIP cookie)

I2 I --> R (Compute, compute, here is my counter I2)

R2 I <-- R (OK. Let’s finish HIP with my R2)

I --> R (data)

I <-- R (data)

Host Identity Protocol – p.10/23

Page 11: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed

HIP exchange

+---------------------+---------------------------------------------+

| State | Explanation |

+---------------------+---------------------------------------------+

| UNASSOCIATED | State machine start |

| I1-SENT | Initiating HIP |

| I2-SENT | Waiting to finish HIP |

| R2-SENT | Waiting to finish HIP |

| ESTABLISHED | HIP association established |

| CLOSING | HIP association closing, no data can be |

| CLOSED | HIP association closed, no data can be sent |

| E-FAILED | HIP exchange failed |

+---------------------+---------------------------------------------+

Host Identity Protocol – p.11/23

Page 12: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed

New Stack Architecture

IP addresses currently are both locators (for routing) andendpoint identifiers.

In the HIP architecture, endpoint names and locators are

separated. IP addresses continue to act as locators. HIs

denote endpoints, and can spread across different inter-

faces.

Host Identity Protocol – p.12/23

Page 13: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed

Transport Associations and Endpoints

New binding for transport layer protocols: TCP connectionsand UDP associations map no longer to IP addresses butto Host Identities.

Since transport associations are bound to HIs, HIP provides

for process migration and clustered servers.

Host Identity Protocol – p.13/23

Page 14: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed

End-Host Mobility and Multi-Homing

HIP decouples the transport from the internetworking layer,and binds them to HIs, it can provide for internetworkingmobility (IP address change) and multi-homing (multiple IPaddressed per host).

With HIP existing transport associations are preserved.

Notifications might be needed when the medium/interface

changes, in order to send the new address/check for reach-

ability.

Host Identity Protocol – p.14/23

Page 15: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed

Rendezvous server

Reaching a mobile node: dynamic DNS or using a HIPrendezvous server.

The mobile node tells the rendezvous server its current IPaddress, and the server acts as a proxy for the mobilenode.

Note: This reminds of IPV4 Mobile IP and does not really

offer the advantages of IPV6 Mobile IP.

Host Identity Protocol – p.15/23

Page 16: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed

Protection against Flooding Attacks

Blindly accepting new addressed from Mobile Nodes couldlead to a DoS attack from third parties by opening a largenumber of connections and re-pointing them towards avictim host’s IP address.

HIP includes an address check mechanism where the

reachability of a node is separately checked at each ad-

dress before using the address for larger amounts of traffic.

Host Identity Protocol – p.16/23

Page 17: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed

HIP and IPsec

IPsec will be used preferably for carrying the actual datatraffic. The currently defined method is the IPsecEncapsulated Security Payload (ESP) for data packets.

The cryptographic HIs are used to set up a pair of ESPSecurity Associations (SA) to enable ESP in an end-to-endmanner.

The ESP SAs are controlled by HITs only, making it also

independent from undelaying protocols.

Host Identity Protocol – p.17/23

Page 18: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed

HIP and NATs

HIP makes transport NAT-transparent since it does not usethe IP addresses for identifying endpoints.

From the point of view of HIP, IP addresses can be changed

freely during NAT traversal.

Host Identity Protocol – p.18/23

Page 19: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed

HIP and TCP Checksum

The checksum cannot rely on the IP addresses, so the HITs

are used instead in computing the checksums.

Host Identity Protocol – p.19/23

Page 20: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed

HIP Policies

All HIP implementation should support two HIs, one forpublishing in the DNS and one for anonymous usage.Support for multiple HIs is recommended.

Different HITs can be used in response to different initiator

HITs.

Host Identity Protocol – p.20/23

Page 21: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed

Benefits of HIP

HIP provides for cases in which:

the address sent differs from the one received

hosts change their address during the association(session)

a return header cannot simply be formed by reversingthe source and the destination

a host does not know what address a partner host canuse to send packets to it

all of which were not an issue when designing the initial IP

protocols.Host Identity Protocol – p.21/23

Page 22: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed

Security Considerations

DoS attacks usually rely on the creation of state. With HIPthis does not happen until authentification is made, and theinitiator host has performed computational effort.

MiM attack avoidance rely on third party authentification,

however this is harder to do when using anonymous HIs.

Host Identity Protocol – p.22/23

Page 23: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed

References

Host Identity Protocol, draft-ietf-hip-base-02, R.Moskowitz,P.Nikander, P.Jokela, T.Henderson, IETF Network WorkingGroup, February 21, 2005

Host Identity Protocol Architecture , draft-ietf-hip-arch-05,

R.Moskowitz, P.Nikander, P.Jokela, T.Henderson, IETF Net-

work Working Group, Sep 2003

Host Identity Protocol – p.23/23