Embed Size (px)
Citation preview
© NEC Europe Ltd. 2005 2
Outline
• Motivation• History• The HIP Solution• The Basic Idea• Socket Bindings• HIP Protocol• Summary• Current Internet Drafts• References
© NEC Europe Ltd. 2005 3
Motivation 1: Devices become mobile
• Computers are getting more mobile and more connected (E.g. a PDA with GSM / UMTS / WLAN / BlueTooth)
• Internet connectivity for these mobile devices is getting cheaper and may be ubiquitous in a few years
• Mobile IP(v6) is very complex and difficult to manage
• Internet addresses are still addresses – bound to places in the network topology– working less well as identifiers for devices
© NEC Europe Ltd. 2005 4
Motivation 2: Locators and Host Identifiers
• IP addresses are both Locators and Host Identifiers– IP addresses are bound to the network topology
and specify the place of the host in the network IP addresses are Locators
– Network connections are bound to IP addresses IP addresses are Host Identifiers
• Host can have multiple IP addresses– at the same time (multi-homing, IPv4/v6)– one after another (mobile host connecting to
different providers or at different locations)
© NEC Europe Ltd. 2005 5
Motivation 2 cont.: Locators and Host Ids
• Good from security point-of-view– Packet sent to Alice’s address is indeed sent to
Alice, because Alice is identified by the address!
• Bad from mobility / multi-homing point-of-view– Host changes its location must change its identity
(Leads to the Home Address / Care-of-Address design in Mobile IP)
– Multi-homed must have multiple identities– Managing multiple / dynamic addresses becomes
harder than necessary
© NEC Europe Ltd. 2005 6
History of HIP
• The idea of separating Location and Identity is not new
• HIP first discussed at the 47th IETF• HIP working group formed at the 58th IETF
(Nov. 2003, Minneapolis)• HIP has an active devoloper community and
several interoperating implementations (at least 3, Boeing, HUT, Ericsson Research)
• HIP base protocol is ready but more work is needed for infrastructure issues
© NEC Europe Ltd. 2005 7
The HIP solution 1
• Separate locators from host identifiers– IP address continue to function as locators– No changes to the routing infrastructure are needed– Mobile host still needs to keep changing its address– Multi-homed host still has multiple addresses
• Integrate security, mobility, and multi-homing– Opportunistic host-to-host IPsec ESP– End-host mobility, across IPv4 and IPv6– End-host multi-address multi-homing, IPv4/v6– IPv4/v6 interoperability for apps
© NEC Europe Ltd. 2005 8
The HIP solution 2
• Introduces a new layer between IP and transport
• Introduces cryptographic Host Identifiers• Create a new name space for Host Identifiers
– Use public keys as primary identifiers
• Provide a secure binding between a host’s public key and its IP address(es)– Introduce a new protocol and payload– Use ESP transport
© NEC Europe Ltd. 2005 9
The Basic Idea
• Introduce a new layer• Inroduce a new
namespace (Host Identifier, HI)– User Public Crypto Keys– Represent the keys as
hash values called Host ID Tags (HIT)
• Bind sockets to HIs, no longer to IP addresses
• Translate HIs to IP addresses transparently in the kernel
Process
Transport
Host Identity
IP Layer
Link Layer
<IP address, port>
Host ID
IP address
Link Layer addressEthernet Address
<Host ID, port>
© NEC Europe Ltd. 2005 10
Socket Bindings
Socket
IP Address
End point
Process
Location
Socket
Host IDEnd point
Process
IP AddressLocation
Current Bindings HIP Bindings
dynamic binding
© NEC Europe Ltd. 2005 11
HIP Protocol 1: The Base Exchange
IPsecSAD
IPsecSPD
Socket API
IPsecSAD
IPsecSPD
Client App Server App
HIP Daemon HIP Daemon
Socket API
DNS Server
DNSLibrary
Userspace
Kernelspace
DNS query
DNS replyHITs
HITs {IP Addresses}I1connect
to HITs
TCP SYN to HITs
TCP SYN to HITs
Key Request
Key Add Key Add
R1I2
R2
convert HITs to IP addresses and back
© NEC Europe Ltd. 2005 12
HIP Protocol 2: Current Status
• Base Exchange is quite mature• UPDATE packets to support mobile hosts• REA packets to support muti-homed hosts• DNS extensions and Rendevous-Server for
locating hosts under development• Can work with (modified/HIP aware) firwalls• Can work with (modified/HIP aware) NATs
© NEC Europe Ltd. 2005 13
Summary 1: The Solution
• New cryptographic name space that identifies hosts with public keys
• A concrete, down-to-earth attempt to "fix" the Internet
• Deployment can start at end-points• No changes required to routers• Supports firewalls and NAT, but requires HIP-
capable firewall and NAT boxes• Backward compatibility can be provided with proxies• Integrates IPsec key negotiation (security), end-host
mobility, and end-host multihoming
© NEC Europe Ltd. 2005 14
Summary 2: Mobility and Multi-Homing
• HIP seems to solve end-host mobility and multi-homing problems almost trivially
• Mobility and multi-homing become duals of each other– A mobile host has multiple addresses serially– A multi-homed host has multiple addresses parallelly
• Also easy to explain the difference between– process mobility (migration) and node mobility– end-host multi-homing and site multi-homing
• The thinking can be folded into a Virtual Interface Model
• Resulting Architecture is relatively small and beautiful
© NEC Europe Ltd. 2005 15
Current Internet Drafts
• R. Moskowitz, P. Nikander, P. Jokela, T. Henderson, February 21, 2005, Host Identity Protocol, draft-ietf-hip-base-02
• R. Moskowitz, P. Nikander, January 11, 2004, Host Identity Protocol Architecture, draft-ietf-hip-arch-02
• P. Nikander Internet-Draft, J. Arkko, T. Henderson, February 20, 2005, End-Host Mobility and Multi-Homing with the Host Identity Protocol, draft-ietf-hip-mm-01
• P. Nikander, J. Laganier, February 20, 2005, Host Identity Protocol (HIP) Domain Name System (DNS) Extensions, draft-ietf-hip-dns-01
• J. Laganier, L. Eggert, February 18, 2005, Host Identity Protocol (HIP) Rendezvous Extension, draft-ietf-hip-rvs-01
• Several individual submissions addressing different aspects of HIP...
© NEC Europe Ltd. 2005 16
References
• HIP at IETF and IRTF– HIP working group
http://www.ietf.org/html.charters/hip-charter.html– HIP working group supplemental homepage
http://hip.piuha.net/– HIP at IRTF http://www.irtf.org/charters/hip.html– HIP at IRTF supplemental homepage http://hiprg.piuha.net/
• The "official" HIP site from Robert G. Moskovitz http://homebase.htt-consult.com/HIP.html
• The InfraHIP Project from Helsinki Institute for Information Technology http://infrahip.hiit.fi/ with HIP for Linux
• Ericsson Research HIP project http://www.hip4inter.net/ with a BSD implementation
© NEC Europe Ltd. 2005 17
Related IETF/IRTF Work
• IETF Working Groups– Mobile IPv4 (mipv6)
http://www.ietf.org/html.charters/mip6-charter.html • Almost done
– Mobile IPv6 (mipv4)http://www.ietf.org/html.charters/mip4-charter.html
• Almost done– MIPv6 Signaling and Handoff Optimization (mipshop)
http://www.ietf.org/html.charters/mipshop-charter.html • Hierarchical Mobile IPv6 (HMIPv6), Fast Handover
• IRTF Research Groups– IP Mobility Optimization (mobopts)
http://www.irtf.org/charters/mobopts.html and http://people.nokia.net/%7Erajeev/mobopts/index.html
• Session Mobility, Network Initiated Handover
