Presentation is loading. Please wait.

Presentation is loading. Please wait.

Host Identity Protocol

Published byMelvyn Ferguson Modified over 8 years ago

Similar presentations

Presentation on theme: "Host Identity Protocol"— Presentation transcript:

1 Host Identity Protocol

2 What is HIP A multi-addressing and mobility solution for the Internet
Also a security protocol for authentication and encryption Add a new layer to separate transport and network layers The new layers maps host identifiers to network address and vice versa

3 History •1999 : Idea discussed briefly at the IETF
•2001: Two BoFs, no WG created at that time •02-03: development at the corridors •2004: WG and RG created • 2007 : first stable version

4 HIP Developed at IETF since 1999, first stable version in 2007
Inserts cryptographic namespace between Transport and Network Layer No changes needed in applications or routers (changes reside in network stack of host) Provides much more features than LISP Aims for security, mobility, multi-homing Host Identity Protocol Review paper by Pekka Nikander et al

5 Achievements Mobility Multi-Homing Security
NAT / IPv4 / IPv6 traversals

6 Host Identify Tag (HIT)
A public key is used to identify an end-host A 128-bit host identify tag (HIT) is used for system call HIT is a hash on public key and has a global scope A 32-bit local scope identifier (LSI) is used for IPv4 compatibility

7 WHY To overcome the shortcoming of existing Internet, namely
The dual role of IP as both host identifier and locator The lack of security with IP To make end-host mobility and multi-homing very easy to implement

8 How it works HIP introduces host identity layer between transport and network layers HIP uses base exchange to perform authentication and establish session keys before communication. Communication data are protected using IPsec ESP HIP provides a readdressing mechanism to support IP changes with mobility and multi-homing

9 Architecture

10 Architecture Transport layer communication is bound to host identity instead of IP The binding between host identity and IP is dynamic and can have a one-to-many relationship A host layer protocol is developed to make HIP work

11 Host Layer Protocol A signal protocol between the communicating end-points Perform mutual end-to-end authentication It creates IPsec ESP Security Associations for integrity protection and encryption Perform reachability verification Consists of 7 message types, four of which are dedicated to the base exchange

12 More detailed layering
Transport Layer End-to-end, HITs IP layer Mobility Multi-homing v4/v6 bridge IPsec HIP Fragmentation Forwarding Hop-by-hop, IP addresses Link Layer

13 Protocol overview I1: HITI, HITR or NULL
Initiator Responder I1: HITI, HITR or NULL Control R1: HITI, [HITR, puzzle, DHR, HIR]sig I2: [HITI, HITR, solution, DHI, {HII}]sig R2: [HITI, HITR, authenticator]sig User data messages Data

14 Base Exchange

15 Base Exchange Step 1: Initiator (I) sends the first I1 packet, which contains own HIT and the HIT of the responder to the responder (R) Step 2: R relies with message R1, which contains the HITs of I and itself as well as a puzzle based challenge for I to solve Step 3: I solves the puzzle and sends in I2 the HITs of itself and R as well as the solution to the puzzle, and performs the authentication Step 4: R now commits itself to the communication, and respond with HITs of I and itself, and performs the authentication. After this, I and R have performed the mutual authentication and established Security Associations for ESP

16 Mobility with HIP HIP provides dynamic binding between a Host ID and IP addresses. A mobile node sends REA (readdressing) package to its peer to inform the change of address The peer verifies the reachbility of the mobile node with the new address

17 Mobility with HIP

18 Multi-homing A host can have multiple network interfaces

19 Multihoming with HIP HIP provides one-to-many binding between a Host ID and IP A multi-homing can send a series of available address to its peer and designate a preferred address The peer host can choose communication address in case failover or based on load balance consideration An update message is enough to make it work

20 Multihoming with HIP

21 Implementation Involves kernel level programming since the host layer protocol works under the transport layer Only base exchange is implemented in a HIPL project HIP is implemented as a kernel module, which uses a user space daemon for cryptographic operations

22 Using HIP with ESP DNS server Client app Server app HIP daemon
HIT DNS query DNS server Client app DNS library Server app DNS reply connect(HITS) HIT >  {IP addresses} HIP daemon HIP daemon socket API socket API TCP SYN to HITS TCP SYN from HITC IPsec SPD IPsec SAD ESP protected TCP SYN to IPaddrS IPsec SAD IPsec SPD convert HITs to IP addresses convert IP addresses to HITs

23 HIP as the new waist of TCP/IP
v4 app v6 app v4 app v6 app TCPv4 TCPv6 TCPv4 TCPv6 Host identity IPv4 IPv6 IPv4 IPv6 Link layer Link layer

24 Conclusion HIP adds a layer between the transport and the network layers, thus separate the dual role of IP as both host identifier and locator HIP supports IP change over time with ease and without disrupting communications HIP provides strong endpoint authentication and communication encryption.

25 Thanks

Download ppt "Host Identity Protocol"

Similar presentations

1 An Update on Multihoming in IPv6 Report on IETF Activity IPv6 Technical SIG 1 Sept 2004 APNIC18, Nadi, Fiji Geoff Huston.

1 An Update on Multihoming in IPv6 Report on IETF Activity IPv6 Technical SIG 1 Sept 2004 APNIC18, Nadi, Fiji Geoff Huston.
Using HIP to solve MULTI-HOMING IN IPv6 networks YUAN Zhangyi Beijing University of Posts and Telecommunications.

Using HIP to solve MULTI-HOMING IN IPv6 networks YUAN Zhangyi Beijing University of Posts and Telecommunications.
© Antônio M. Alberti 2011 Host Identification and Location Decoupling: A Comparison of Approaches Bruno Magalhães Martins Antônio Marcos Alberti.

© Antônio M. Alberti 2011 Host Identification and Location Decoupling: A Comparison of Approaches Bruno Magalhães Martins Antônio Marcos Alberti.
Secure Mobile IP Communication

Secure Mobile IP Communication
IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.

IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.
IPv6 – IPv4 Network Address, Port & Protocol Translation & Multithreaded DNS Gateway Navpreet Singh, Abhinav Singh, Udit Gupta, Vinay Bajpai, Toshu Malhotra.

IPv6 – IPv4 Network Address, Port & Protocol Translation & Multithreaded DNS Gateway Navpreet Singh, Abhinav Singh, Udit Gupta, Vinay Bajpai, Toshu Malhotra.
1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.

1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.
1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.

1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.
IP Version 6 Next generation IP Prof. P Venkataram ECE Dept. IISc.

IP Version 6 Next generation IP Prof. P Venkataram ECE Dept. IISc.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
IPv6 Multihoming Support in the Mobile Internet Presented by Paul Swenson CMSC 681, Fall 2007 Article by M. Bagnulo et. al. and published in the October.

IPv6 Multihoming Support in the Mobile Internet Presented by Paul Swenson CMSC 681, Fall 2007 Article by M. Bagnulo et. al. and published in the October.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
1/32 Internet Architecture Lukas Banach Tutors: Holger Karl Christian Dannewitz Monday 26.09.2005 C. Today I³SI³HIPHI³.

1/32 Internet Architecture Lukas Banach Tutors: Holger Karl Christian Dannewitz Monday C. Today I³SI³HIPHI³.
COM555: Mobile Technologies Location-Identifier Separation.

COM555: Mobile Technologies Location-Identifier Separation.
Submission 15-11-0364-00-0hip Slide 1 Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Bootstrapping.

Submission hip Slide 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Bootstrapping.
CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:

CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.

Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.

Similar presentations

Ads by Google