host identity protocol -...
TRANSCRIPT
![Page 1: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed](https://reader031.vdocument.in/reader031/viewer/2022022518/5b0b601c7f8b9aba628dcf31/html5/thumbnails/1.jpg)
Host Identity ProtocolVlad Balan
Host Identity Protocol – p.1/23
![Page 2: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed](https://reader031.vdocument.in/reader031/viewer/2022022518/5b0b601c7f8b9aba628dcf31/html5/thumbnails/2.jpg)
Introduction
Current Namespaces: IP and DNSHost Identity Namespace: Host Identifiers (HI)
cryptographic in nature
public key of an asymmetric key-pair
IPsec used for actual packet transmission.
New Protocol: Host Identity Protocol, used to create the
needed IPsec Security Associations(SA) and to authenti-
cate the hosts.
Host Identity Protocol – p.2/23
![Page 3: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed](https://reader031.vdocument.in/reader031/viewer/2022022518/5b0b601c7f8b9aba628dcf31/html5/thumbnails/3.jpg)
Background
IP namespaces: IP and DNS
IP: 212.201.48.50namespace of the networking interfaces and the names ofthe locations (for routing)transport layers are coupled to the IP addresses
Domain Names: www.eecs.iu-bremen.de
hierarchically assigned names for some computing plat-
forms and some services
Host Identity Protocol – p.3/23
![Page 4: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed](https://reader031.vdocument.in/reader031/viewer/2022022518/5b0b601c7f8b9aba628dcf31/html5/thumbnails/4.jpg)
A Namespace for Computing Platforms
An independent namespace could be used across manyinternetworking layers.
A cryptographically based namespace can provideauthentification services.
It should be applied to the IP kernel(replacing the currentIP addresses)
The names should have fixed length, be possibly globally
unique.(128 bits), be flexible (created locally, delegated par-
tially for routing purposes)Host Identity Protocol – p.4/23
![Page 5: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed](https://reader031.vdocument.in/reader031/viewer/2022022518/5b0b601c7f8b9aba628dcf31/html5/thumbnails/5.jpg)
Host Identity Namespace
Host Identifiers (HI) are names in the Host Identitynamespace, associated to one or more IP stacks.
A third party authenticator like DNSSEC or PGP can beused for asserting the identity.
Public keys are preferred for HI: authenticate HIP packets,
protect from man-in-the-middle attacks; used in a Diffie-
Hellman exchange in HIP, also offering denial-of-service
protection.
Host Identity Protocol – p.5/23
![Page 6: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed](https://reader031.vdocument.in/reader031/viewer/2022022518/5b0b601c7f8b9aba628dcf31/html5/thumbnails/6.jpg)
Host Identifiers
What HIs bring new:
a decoupling of the internetworking and transportlayers
host authentification (the key can be used with IPsec)
Identities can be shared across multiple hosts.
The Host Identities are to be stored in DNS or LDAP direc-
tories and used in the HIP base exchange.
Host Identity Protocol – p.6/23
![Page 7: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed](https://reader031.vdocument.in/reader031/viewer/2022022518/5b0b601c7f8b9aba628dcf31/html5/thumbnails/7.jpg)
Storing Host Identifiers in DNS
Non-anonymous HIs should be stored in DNS or in various
kinds of Public Key Infrastructure, making them suitable for
other purposes than pure host identification.
Host Identity Protocol – p.7/23
![Page 8: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed](https://reader031.vdocument.in/reader031/viewer/2022022518/5b0b601c7f8b9aba628dcf31/html5/thumbnails/8.jpg)
Host Identity Tag
A Host Identity Tag (HIT) is a 128-bit representation of aHost Identity, created by taking a cryptographic hash overthe HI.Advantages:
fixed-size makes implementation simpler
it makes the identity consistent across variousunderlaying technologies
HITs should be unique to the IP universe, but if they collide
the HIs will make the final difference.
Host Identity Protocol – p.8/23
![Page 9: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed](https://reader031.vdocument.in/reader031/viewer/2022022518/5b0b601c7f8b9aba628dcf31/html5/thumbnails/9.jpg)
Local Scope Identifier
An LSI is a 32-bit localized representation of a HI, definedin order to facilitate the usage of HIs over the existing IPV4APIs.
It offers smaller size, but only local scope (otherwise colli-
sions are likely).
Host Identity Protocol – p.9/23
![Page 10: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed](https://reader031.vdocument.in/reader031/viewer/2022022518/5b0b601c7f8b9aba628dcf31/html5/thumbnails/10.jpg)
HIP exchange
I --> Directory: lookup R
I <-- Directory: return R’s addresses, and HI and/or HIT
I1 I --> R (Hi. Here is my I1, let’s talk HIP)
R1 I <-- R (OK. Here is my R1, handle this HIP cookie)
I2 I --> R (Compute, compute, here is my counter I2)
R2 I <-- R (OK. Let’s finish HIP with my R2)
I --> R (data)
I <-- R (data)
Host Identity Protocol – p.10/23
![Page 11: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed](https://reader031.vdocument.in/reader031/viewer/2022022518/5b0b601c7f8b9aba628dcf31/html5/thumbnails/11.jpg)
HIP exchange
+---------------------+---------------------------------------------+
| State | Explanation |
+---------------------+---------------------------------------------+
| UNASSOCIATED | State machine start |
| I1-SENT | Initiating HIP |
| I2-SENT | Waiting to finish HIP |
| R2-SENT | Waiting to finish HIP |
| ESTABLISHED | HIP association established |
| CLOSING | HIP association closing, no data can be |
| CLOSED | HIP association closed, no data can be sent |
| E-FAILED | HIP exchange failed |
+---------------------+---------------------------------------------+
Host Identity Protocol – p.11/23
![Page 12: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed](https://reader031.vdocument.in/reader031/viewer/2022022518/5b0b601c7f8b9aba628dcf31/html5/thumbnails/12.jpg)
New Stack Architecture
IP addresses currently are both locators (for routing) andendpoint identifiers.
In the HIP architecture, endpoint names and locators are
separated. IP addresses continue to act as locators. HIs
denote endpoints, and can spread across different inter-
faces.
Host Identity Protocol – p.12/23
![Page 13: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed](https://reader031.vdocument.in/reader031/viewer/2022022518/5b0b601c7f8b9aba628dcf31/html5/thumbnails/13.jpg)
Transport Associations and Endpoints
New binding for transport layer protocols: TCP connectionsand UDP associations map no longer to IP addresses butto Host Identities.
Since transport associations are bound to HIs, HIP provides
for process migration and clustered servers.
Host Identity Protocol – p.13/23
![Page 14: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed](https://reader031.vdocument.in/reader031/viewer/2022022518/5b0b601c7f8b9aba628dcf31/html5/thumbnails/14.jpg)
End-Host Mobility and Multi-Homing
HIP decouples the transport from the internetworking layer,and binds them to HIs, it can provide for internetworkingmobility (IP address change) and multi-homing (multiple IPaddressed per host).
With HIP existing transport associations are preserved.
Notifications might be needed when the medium/interface
changes, in order to send the new address/check for reach-
ability.
Host Identity Protocol – p.14/23
![Page 15: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed](https://reader031.vdocument.in/reader031/viewer/2022022518/5b0b601c7f8b9aba628dcf31/html5/thumbnails/15.jpg)
Rendezvous server
Reaching a mobile node: dynamic DNS or using a HIPrendezvous server.
The mobile node tells the rendezvous server its current IPaddress, and the server acts as a proxy for the mobilenode.
Note: This reminds of IPV4 Mobile IP and does not really
offer the advantages of IPV6 Mobile IP.
Host Identity Protocol – p.15/23
![Page 16: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed](https://reader031.vdocument.in/reader031/viewer/2022022518/5b0b601c7f8b9aba628dcf31/html5/thumbnails/16.jpg)
Protection against Flooding Attacks
Blindly accepting new addressed from Mobile Nodes couldlead to a DoS attack from third parties by opening a largenumber of connections and re-pointing them towards avictim host’s IP address.
HIP includes an address check mechanism where the
reachability of a node is separately checked at each ad-
dress before using the address for larger amounts of traffic.
Host Identity Protocol – p.16/23
![Page 17: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed](https://reader031.vdocument.in/reader031/viewer/2022022518/5b0b601c7f8b9aba628dcf31/html5/thumbnails/17.jpg)
HIP and IPsec
IPsec will be used preferably for carrying the actual datatraffic. The currently defined method is the IPsecEncapsulated Security Payload (ESP) for data packets.
The cryptographic HIs are used to set up a pair of ESPSecurity Associations (SA) to enable ESP in an end-to-endmanner.
The ESP SAs are controlled by HITs only, making it also
independent from undelaying protocols.
Host Identity Protocol – p.17/23
![Page 18: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed](https://reader031.vdocument.in/reader031/viewer/2022022518/5b0b601c7f8b9aba628dcf31/html5/thumbnails/18.jpg)
HIP and NATs
HIP makes transport NAT-transparent since it does not usethe IP addresses for identifying endpoints.
From the point of view of HIP, IP addresses can be changed
freely during NAT traversal.
Host Identity Protocol – p.18/23
![Page 19: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed](https://reader031.vdocument.in/reader031/viewer/2022022518/5b0b601c7f8b9aba628dcf31/html5/thumbnails/19.jpg)
HIP and TCP Checksum
The checksum cannot rely on the IP addresses, so the HITs
are used instead in computing the checksums.
Host Identity Protocol – p.19/23
![Page 20: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed](https://reader031.vdocument.in/reader031/viewer/2022022518/5b0b601c7f8b9aba628dcf31/html5/thumbnails/20.jpg)
HIP Policies
All HIP implementation should support two HIs, one forpublishing in the DNS and one for anonymous usage.Support for multiple HIs is recommended.
Different HITs can be used in response to different initiator
HITs.
Host Identity Protocol – p.20/23
![Page 21: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed](https://reader031.vdocument.in/reader031/viewer/2022022518/5b0b601c7f8b9aba628dcf31/html5/thumbnails/21.jpg)
Benefits of HIP
HIP provides for cases in which:
the address sent differs from the one received
hosts change their address during the association(session)
a return header cannot simply be formed by reversingthe source and the destination
a host does not know what address a partner host canuse to send packets to it
all of which were not an issue when designing the initial IP
protocols.Host Identity Protocol – p.21/23
![Page 22: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed](https://reader031.vdocument.in/reader031/viewer/2022022518/5b0b601c7f8b9aba628dcf31/html5/thumbnails/22.jpg)
Security Considerations
DoS attacks usually rely on the creation of state. With HIPthis does not happen until authentification is made, and theinitiator host has performed computational effort.
MiM attack avoidance rely on third party authentification,
however this is harder to do when using anonymous HIs.
Host Identity Protocol – p.22/23
![Page 23: Host Identity Protocol - cnds.eecs.jacobs-university.decnds.eecs.jacobs-university.de/courses/nds-2005/balan-hip.pdf · New Protocol: Host Identity Protocol, used to create the needed](https://reader031.vdocument.in/reader031/viewer/2022022518/5b0b601c7f8b9aba628dcf31/html5/thumbnails/23.jpg)
References
Host Identity Protocol, draft-ietf-hip-base-02, R.Moskowitz,P.Nikander, P.Jokela, T.Henderson, IETF Network WorkingGroup, February 21, 2005
Host Identity Protocol Architecture , draft-ietf-hip-arch-05,
R.Moskowitz, P.Nikander, P.Jokela, T.Henderson, IETF Net-
work Working Group, Sep 2003
Host Identity Protocol – p.23/23