host identity protocol 1. what is hip ● a multi-addressing and mobility solution for the internet...
TRANSCRIPT
![Page 1: HOST IDENTITY PROTOCOL 1. What is HIP ● A multi-addressing and mobility solution for the Internet ● Also a security protocol for authentication and encryption](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649dc75503460f94abb88a/html5/thumbnails/1.jpg)
HOST IDENTITY PROTOCOL
1
![Page 2: HOST IDENTITY PROTOCOL 1. What is HIP ● A multi-addressing and mobility solution for the Internet ● Also a security protocol for authentication and encryption](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649dc75503460f94abb88a/html5/thumbnails/2.jpg)
What is HIP● A multi-addressing and mobility solution for
the Internet● Also a security protocol for authentication and
encryption● Add a new layer to separate transport and
network layers● The new layers maps host identifiers to network
address and vice versa
2
![Page 3: HOST IDENTITY PROTOCOL 1. What is HIP ● A multi-addressing and mobility solution for the Internet ● Also a security protocol for authentication and encryption](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649dc75503460f94abb88a/html5/thumbnails/3.jpg)
History•1999 : Idea discussed briefly at the IETF
•2001: Two BoFs, no WG created at that time
•02-03: development at the corridors
•2004: WG and RG created
• 2007 : first stable version
3
![Page 4: HOST IDENTITY PROTOCOL 1. What is HIP ● A multi-addressing and mobility solution for the Internet ● Also a security protocol for authentication and encryption](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649dc75503460f94abb88a/html5/thumbnails/4.jpg)
Achievements Mobility Multi-Homing Security NAT / IPv4 / IPv6 traversals
5
![Page 5: HOST IDENTITY PROTOCOL 1. What is HIP ● A multi-addressing and mobility solution for the Internet ● Also a security protocol for authentication and encryption](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649dc75503460f94abb88a/html5/thumbnails/5.jpg)
Host Identify Tag (HIT)● A public key is used to identify an end-host● A 128-bit host identify tag (HIT) is used for
system call● HIT is a hash on public key and has a global
scope● A 32-bit local scope identifier (LSI) is used for
IPv4 compatibility
6
![Page 6: HOST IDENTITY PROTOCOL 1. What is HIP ● A multi-addressing and mobility solution for the Internet ● Also a security protocol for authentication and encryption](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649dc75503460f94abb88a/html5/thumbnails/6.jpg)
WHY● To overcome the shortcoming of existing
Internet, namely
○ The dual role of IP as both host identifier and locator
○ The lack of security with IP
● To make end-host mobility and multi-homing very easy to implement
7
![Page 7: HOST IDENTITY PROTOCOL 1. What is HIP ● A multi-addressing and mobility solution for the Internet ● Also a security protocol for authentication and encryption](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649dc75503460f94abb88a/html5/thumbnails/7.jpg)
How it works● HIP introduces host identity layer between
transport and network layers● HIP uses base exchange to perform
authentication and establish session keys before communication.
● Communication data are protected using IPsec ESP
● HIP provides a readdressing mechanism to support IP changes with mobility and multi-homing
8
![Page 8: HOST IDENTITY PROTOCOL 1. What is HIP ● A multi-addressing and mobility solution for the Internet ● Also a security protocol for authentication and encryption](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649dc75503460f94abb88a/html5/thumbnails/8.jpg)
Architecture
9
![Page 9: HOST IDENTITY PROTOCOL 1. What is HIP ● A multi-addressing and mobility solution for the Internet ● Also a security protocol for authentication and encryption](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649dc75503460f94abb88a/html5/thumbnails/9.jpg)
Architecture● Transport layer communication is bound to host
identity instead of IP● The binding between host identity and IP is
dynamic and can have a one-to-many relationship
● A host layer protocol is developed to make HIP work
10
![Page 10: HOST IDENTITY PROTOCOL 1. What is HIP ● A multi-addressing and mobility solution for the Internet ● Also a security protocol for authentication and encryption](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649dc75503460f94abb88a/html5/thumbnails/10.jpg)
Host Layer Protocol
● A signal protocol between the communicating end-points
● Perform mutual end-to-end authentication● It creates IPsec ESP Security Associations for
integrity protection and encryption● Perform reachability verification● Consists of 7 message types, four of which are
dedicated to the base exchange
11
![Page 11: HOST IDENTITY PROTOCOL 1. What is HIP ● A multi-addressing and mobility solution for the Internet ● Also a security protocol for authentication and encryption](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649dc75503460f94abb88a/html5/thumbnails/11.jpg)
Protocol overviewInitiator Responder
I1: HITI, HIT
R or NULL
R1: HITI, [HIT
R, puzzle, DH
R, HI
R]sig
I2: [HITI, HIT
R, solution, DH
I, {HI
I}]
sigR2: [HIT
I, HIT
R, authenticator]
sigUser data messagesUser data messages
Con
trol
Con
trol
Dat
aD
ata
13
![Page 12: HOST IDENTITY PROTOCOL 1. What is HIP ● A multi-addressing and mobility solution for the Internet ● Also a security protocol for authentication and encryption](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649dc75503460f94abb88a/html5/thumbnails/12.jpg)
Base Exchange● Step 1: Initiator (I) sends the first I1 packet, which contains own
HIT and the HIT of the responder to the responder (R)
● Step 2: R relies with message R1, which contains the HITs of I and itself as well as a puzzle based challenge for I to solve
● Step 3: I solves the puzzle and sends in I2 the HITs of itself and R as well as the solution to the puzzle, and performs the authentication
● Step 4: R now commits itself to the communication, and respond with HITs of I and itself, and performs the authentication.
● After this, I and R have performed the mutual authentication and established Security Associations for ESP 15
![Page 13: HOST IDENTITY PROTOCOL 1. What is HIP ● A multi-addressing and mobility solution for the Internet ● Also a security protocol for authentication and encryption](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649dc75503460f94abb88a/html5/thumbnails/13.jpg)
Mobility with HIP● HIP provides dynamic binding between a Host ID
and IP addresses.
● A mobile node sends REA (readdressing) package to its peer to inform the change of address
● The peer verifies the reachbility of the mobile node with the new address
16
![Page 14: HOST IDENTITY PROTOCOL 1. What is HIP ● A multi-addressing and mobility solution for the Internet ● Also a security protocol for authentication and encryption](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649dc75503460f94abb88a/html5/thumbnails/14.jpg)
Mobility with HIP
17
![Page 15: HOST IDENTITY PROTOCOL 1. What is HIP ● A multi-addressing and mobility solution for the Internet ● Also a security protocol for authentication and encryption](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649dc75503460f94abb88a/html5/thumbnails/15.jpg)
Multi-homing
A host can have multiple network interfaces
18
![Page 16: HOST IDENTITY PROTOCOL 1. What is HIP ● A multi-addressing and mobility solution for the Internet ● Also a security protocol for authentication and encryption](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649dc75503460f94abb88a/html5/thumbnails/16.jpg)
Multihoming with HIP● HIP provides one-to-many binding between a
Host ID and IP● A multi-homing can send a series of available
address to its peer and designate a preferred address
● The peer host can choose communication address in case failover or based on load balance consideration
● An update message is enough to make it work
19
![Page 17: HOST IDENTITY PROTOCOL 1. What is HIP ● A multi-addressing and mobility solution for the Internet ● Also a security protocol for authentication and encryption](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649dc75503460f94abb88a/html5/thumbnails/17.jpg)
Multihoming with HIP
20
![Page 18: HOST IDENTITY PROTOCOL 1. What is HIP ● A multi-addressing and mobility solution for the Internet ● Also a security protocol for authentication and encryption](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649dc75503460f94abb88a/html5/thumbnails/18.jpg)
Implementation● Involves kernel level programming since the host
layer protocol works under the transport layer● Only base exchange is implemented in a HIPL
project● HIP is implemented as a kernel module, which
uses a user space daemon for cryptographic operations
21
![Page 19: HOST IDENTITY PROTOCOL 1. What is HIP ● A multi-addressing and mobility solution for the Internet ● Also a security protocol for authentication and encryption](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649dc75503460f94abb88a/html5/thumbnails/19.jpg)
Using HIP with ESP
HIP daemon HIP daemonHIP daemon
Server appServer app
socket APIsocket API socket APIsocket API
IPsecSADIPsecSAD
IPsecSPDIPsecSPD
IPsecSPDIPsecSPD
IPsecSADIPsecSAD
TCP SYN
to HITS
DNS query
ESP protected TCP SYN
to IPaddrS
convert HITs to IP addresses convert IP addresses to HITs
TCP SYN
from HITC
DNS serverDNS serverDNS replyClient appClient app
HITDNS libraryDNS library
HIT ----- > {IP addresses}connect(HIT
S)
22
![Page 20: HOST IDENTITY PROTOCOL 1. What is HIP ● A multi-addressing and mobility solution for the Internet ● Also a security protocol for authentication and encryption](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649dc75503460f94abb88a/html5/thumbnails/20.jpg)
HIP as the new waist of TCP/IP
v4 app
TCPv4
IPv4
Link layer
TCPv6
IPv6
v6 app v4 app
TCPv4
IPv4
Link layer
TCPv6
IPv6
v6 app
Host identity Host identity
23
![Page 21: HOST IDENTITY PROTOCOL 1. What is HIP ● A multi-addressing and mobility solution for the Internet ● Also a security protocol for authentication and encryption](https://reader036.vdocuments.mx/reader036/viewer/2022062407/56649dc75503460f94abb88a/html5/thumbnails/21.jpg)
Thanks
25