HIP Host Identity Protocol - ULisboa · What is the Host Identity Protocol (HIP) – What does HIP...

HIP Host Identity Protocol

October 2007Patrik Salmela

Ericsson

© Ericsson AB 2007 HIP Tutorial M2NM 2007 2007-09-112

Agenda What is the Host Identity Protocol (HIP)

– What does HIP try to solve HIP basics

– Architecture– The HIP base exchange

HIP basic features– Security, Mobility, Multi-homing

HIP extensions Mobility/HIP Mobility/Network Mobility

– Different mobility solutions, Comparison of mobility solutions Implementation status

– Implementations, Usage of HIP today Standardization

– IETF drafts, IETF status Possible usage of HIP HIP Mobile Router demo presentation Conclusions


Identifier-locator split

In today’s Internet– IP address describes the topological location of the host– IP address used for identifying the host

In practice– deliver packet to entity at the destination locator– mobile host new IP address; changed locator, changed identity

Room 123


Identifier-locator split

In HIP– IP address describes topological location of the host– Host Identity used for identifying the host

In practice– deliver packet to, e.g., Host IdentityPatrik– mobile host new IP address; changed locator, same identity

Room 123


Why HIP?

HIP provides a combination of useful features:

Identifier-locator split Security Mobility IPv4 and IPv6 interoperability Multi-homing


Why HIP?

They are (separately) available elsewhere but….

IP addresses no longer work for identifying hosts IPsec is hard to configure Mobile IP is large and complex Mobile IPv4 and IPv6 do not work together No simple solutions for multi-access / multi-homing


What is the Host Identity Protocol

Architectural change to the TCP/IP stack– A new layer between IP and transport

New namespace of Host Identities (HI)– HI = public key– HI presented as hash values

IPv6: Host Identity Tag (HIT), 128 bits IPv4: Local Scope Identifier (LSI), 32 bits

Connections established between HIs


What is the Host Identity Protocol

The new Host Identity layerIP addr

Process

Transport

IP layer

Link layer

IP address

< , port>

Host Identity Host ID

Host ID Sockets bound to HIs– IPv6: HIT– IPv4: LSI

The Host Identity Layertranslates HIs to IP addressess and vice versa


IP layer

Fragmentation

The layering in detail

Link Layer

Forwarding

IPsec

Transport LayerEnd-to-end, HIT

Hop-by-hop, IP address

HIP

Mobility

Multi-homing

v4/v6 bridge


HIP – a new waist for TCP/IP

v4 app

TCPv4

IPv4

Link layer

TCPv6

IPv6

v6 app v4 app

TCPv4

IPv4

Link layer

TCPv6

IPv6

v6 app

Interoperability between IPv4 and IPv6 – IPv6 checksum, HITs as IP addresses

Host identity Host identityHIT

IP


Host Identity ProtocolHIP packets

I1, R1, I2, R2 – Base exchange UPDATE – change connection parameters

– Rekeying (e.g. SA lifetime expires)– Setting up additional SAs– Change in locators– Deleting SAs

CLOSE, CLOSE_ACK – closing a HIP association NOTIFY – Notification messages


Host Identity ProtocolHIP packets

Packets consist of a HEADER and zero or more parameters

HIP header:

0 1 2 30 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Next Header | Payload Len | Type | VER. | RES. |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Controls | Checksum |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Sender's Host Identity Tag (HIT) || || || |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Receiver's Host Identity Tag (HIT) || || || |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| |/ HIP Parameters // /| |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


Host Identity ProtocolParameters

Parameters are coded in Type-Length-Value format For different purposes:

– Puzzle – solution– Diffie-Hellman– Transforms– Signatures– HMACs– ...


The HIP Base exchange

4-way handshake Creates a HIP association

– Authentication of hosts Negotiates security parameters

– Diffie-Hellman Establishes ESP security associations

– Algorithms– Keys

Opportunistic mode if responder’s identity unknown– Use only destination IP address in initialization, learn HI


The HIP Base exchangeDNS query – resolving the responder’s locator

Initiator

Responder

DNS

Internet

DNS query: ”Responder”DNS response: HI, IP address


The HIP Base exchangeI1 packet - initialization

Initiator DNS

Internet

Responder

I1: Initialization, ”Hello, I’m here. I want to talk HIP!”


The HIP Base exchangeR1 packet - Challenge

Initiator DNS

Internet

Responder

R1: Challenge: ”Solve this puzzle”PuzzleESP SA initializationD-H initializationHIResponder


The HIP Base exchangeI2 packet - puzzle solution

Initiator DNS

Internet

Responder

I2: Challenge responsePuzzle solution D-H parametersHIInitiator SPIInitiator

- Solve puzzle- Generate

keying material- Select ESP SPI


The HIP Base exchangeR2 packet - finalizing connection setup

Initiator DNS

Internet

Responder

R2: Connection setup finalization SPIResponder

- Verify puzzle- Generate

keying material- Select ESP SPI


The HIP Base exchange

Initiator DNS

Responder

ESP Security Association

Internet


Security in HIP

The Host Identity is a public key– Prove the ownership using private key– Used for host authentication and setting up HIP association

Traffic protected with IPsec Encapsulating Security Payload (ESP)

– draft-ietf-hip-esp-06 – New IPSec mode, BEET– ESP SA establishment during HIP base exchange– ESP SAs bound to HITs


BEET

A Bound End-to-End Tunnel (BEET) mode for ESP– draft-nikander-esp-beet-mode-07

BEET mode augments the existing ESP tunnel and transport modes.

– end-to-end tunnels– purpose is to provide limited tunnel mode semantics without

the overhead– IP addresses seen by the applications and the IP

addresses used on the wire are distinct from each other

BEET mode is intended to support new uses of ESP– e.g. mobility and multi-address multi-homing


Mobility in HIP

Connections bound to constant Host Identities (HIs)– Mobile host new locator (IP address)

same connection endpoint (HI)

– Connections don’t break Peer host informed of new locator (IP addr.)

– Mobility between IPv4 and IPv6 is supported


HIP updateLocation update

Internet

CN

Location update message:”Hi, I’ve moved to over here”

MN HIP associationestablished

Can also be used for re-keying,with or without mobility


HIP updateReachability test

Internet

CN

Reachability test:”Are you really there?”

MN


HIP updateReachability reply

Internet

CN

Reachability reply:”Yes, I am here”

MN


The Mobility Protocol

MN CNUPDATE: HITs, new locator(s), sig

UPDATE: HITs, RR challenge, sig

ESP protected TCP/UDP, no explicit HIP headerESP protected TCP/UDP, no explicit HIP header

UPDATE: HITs, RR response, sig


Prevention against attacks

HIP prevents against– impersonation attacks

HMAC – quick and cheap verification SIGNATURE

– third party DoS attack (location update) Optional address check – the host is where it is

supposed to be– making DoS expensive for the attacker (BEX)

Initiator needs to solve puzzle


Multihoming

Mobile host has many addresses over time Multi-homed host has many addresses at the same time

The presented mechanism can be used to ADD addresses– multiple locators for reaching a host– connections still bound to HIs

Challenges– source and destination address selection– load balancing– need to mesh SAs to avoid replay window problems– IPsec SAs are symmetrically setup, but asymmetrical groups of

addresses between hosts are possible– updating keying material for a subset of SAs


Example

MN CN

Access Network #1

AccessNetwork #2

InternetIF1

A Mobile Node (MN) having multipleconnections over multiple interfaces toward asingle correspondent node (CN).

IF2


DNS based initial rendezvous

How to find a moving end-point?– Keys and/or HITs in DNS– IP addresses in DNS– PKI or DNSSEC needed to secure binding from DNS

names to the keys

DNS does not support mobility well– caching– DYNDNS is not considered to be fast enough– Simultaneous movement problem

A separate Rendezvous point is needed


Benefits from using HIP

Operators– More controlled network

Data requires HIP handshake first– Protection against DoS and DDoS– Resilience

Integrated multi-homing No single points of failure

Enterprises– More secure firewalls– Integrated mobility and multi-access

Across IPv4 and IPv6 Individual users

– Supports home servers (NAT traversal)– Configuration free baseline security


Comparison of mobility solutions

Solution Pros Cons

Mobile IP Standard, implemented, available in products, mature

Bottleneck: home agent, only node mobility, IPv4/6 separate

NEMO Standard, implemented Bottleneck: home agent, triangular routing, only IPv6 subnet mobility

SIP Standard, implemented Slow (a lot of signaling), only SIP-based applications

NetLMM PMIP implemented by Cisco Ongoing standardization war, only edge mobility, to start with only IPv6

BGP (Connexion)

Based on standards, implemented by Boeing

A bit slow, only subnet mobility, loads BGP

HIP Experimental standard, IPv6+v4, implemented, incl. Base security

Not on official standards track,requires new infrastructure

HIP Host Identity Protocol - ULisboa · What is the Host Identity Protocol (HIP) – What does HIP...

Documents

Transcript of HIP Host Identity Protocol - ULisboa · What is the Host Identity Protocol (HIP) – What does HIP...