© Ericsson AB 2007 HIP Tutorial M2NM 2007 2007-09-112
Agenda What is the Host Identity Protocol (HIP)
– What does HIP try to solve HIP basics
– Architecture– The HIP base exchange
HIP basic features– Security, Mobility, Multi-homing
HIP extensions Mobility/HIP Mobility/Network Mobility
– Different mobility solutions, Comparison of mobility solutions Implementation status
– Implementations, Usage of HIP today Standardization
– IETF drafts, IETF status Possible usage of HIP HIP Mobile Router demo presentation Conclusions
© Ericsson AB 2007 HIP Tutorial M2NM 2007 2007-09-113
Identifier-locator split
In today’s Internet– IP address describes the topological location of the host– IP address used for identifying the host
In practice– deliver packet to entity at the destination locator– mobile host new IP address; changed locator, changed identity
Room 123
© Ericsson AB 2007 HIP Tutorial M2NM 2007 2007-09-114
Identifier-locator split
In HIP– IP address describes topological location of the host– Host Identity used for identifying the host
In practice– deliver packet to, e.g., Host IdentityPatrik– mobile host new IP address; changed locator, same identity
Room 123
© Ericsson AB 2007 HIP Tutorial M2NM 2007 2007-09-115
Why HIP?
HIP provides a combination of useful features:
Identifier-locator split Security Mobility IPv4 and IPv6 interoperability Multi-homing
© Ericsson AB 2007 HIP Tutorial M2NM 2007 2007-09-116
Why HIP?
They are (separately) available elsewhere but….
IP addresses no longer work for identifying hosts IPsec is hard to configure Mobile IP is large and complex Mobile IPv4 and IPv6 do not work together No simple solutions for multi-access / multi-homing
© Ericsson AB 2007 HIP Tutorial M2NM 2007 2007-09-117
What is the Host Identity Protocol
Architectural change to the TCP/IP stack– A new layer between IP and transport
New namespace of Host Identities (HI)– HI = public key– HI presented as hash values
IPv6: Host Identity Tag (HIT), 128 bits IPv4: Local Scope Identifier (LSI), 32 bits
Connections established between HIs
© Ericsson AB 2007 HIP Tutorial M2NM 2007 2007-09-118
What is the Host Identity Protocol
The new Host Identity layerIP addr
Process
Transport
IP layer
Link layer
IP address
< , port>
Host Identity Host ID
Host ID Sockets bound to HIs– IPv6: HIT– IPv4: LSI
The Host Identity Layertranslates HIs to IP addressess and vice versa
© Ericsson AB 2007 HIP Tutorial M2NM 2007 2007-09-119
IP layer
Fragmentation
The layering in detail
Link Layer
Forwarding
IPsec
Transport LayerEnd-to-end, HIT
Hop-by-hop, IP address
HIP
Mobility
Multi-homing
v4/v6 bridge
© Ericsson AB 2007 HIP Tutorial M2NM 2007 2007-09-1110
HIP – a new waist for TCP/IP
v4 app
TCPv4
IPv4
Link layer
TCPv6
IPv6
v6 app v4 app
TCPv4
IPv4
Link layer
TCPv6
IPv6
v6 app
Interoperability between IPv4 and IPv6 – IPv6 checksum, HITs as IP addresses
Host identity Host identityHIT
IP
© Ericsson AB 2007 HIP Tutorial M2NM 2007 2007-09-1111
Host Identity ProtocolHIP packets
I1, R1, I2, R2 – Base exchange UPDATE – change connection parameters
– Rekeying (e.g. SA lifetime expires)– Setting up additional SAs– Change in locators– Deleting SAs
CLOSE, CLOSE_ACK – closing a HIP association NOTIFY – Notification messages
© Ericsson AB 2007 HIP Tutorial M2NM 2007 2007-09-1112
Host Identity ProtocolHIP packets
Packets consist of a HEADER and zero or more parameters
HIP header:
0 1 2 30 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Next Header | Payload Len | Type | VER. | RES. |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Controls | Checksum |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Sender's Host Identity Tag (HIT) || || || |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Receiver's Host Identity Tag (HIT) || || || |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| |/ HIP Parameters // /| |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
© Ericsson AB 2007 HIP Tutorial M2NM 2007 2007-09-1113
Host Identity ProtocolParameters
Parameters are coded in Type-Length-Value format For different purposes:
– Puzzle – solution– Diffie-Hellman– Transforms– Signatures– HMACs– ...
© Ericsson AB 2007 HIP Tutorial M2NM 2007 2007-09-1114
The HIP Base exchange
4-way handshake Creates a HIP association
– Authentication of hosts Negotiates security parameters
– Diffie-Hellman Establishes ESP security associations
– Algorithms– Keys
Opportunistic mode if responder’s identity unknown– Use only destination IP address in initialization, learn HI
© Ericsson AB 2007 HIP Tutorial M2NM 2007 2007-09-1115
The HIP Base exchangeDNS query – resolving the responder’s locator
Initiator
Responder
DNS
Internet
DNS query: ”Responder”DNS response: HI, IP address
© Ericsson AB 2007 HIP Tutorial M2NM 2007 2007-09-1116
The HIP Base exchangeI1 packet - initialization
Initiator DNS
Internet
Responder
I1: Initialization, ”Hello, I’m here. I want to talk HIP!”
© Ericsson AB 2007 HIP Tutorial M2NM 2007 2007-09-1117
The HIP Base exchangeR1 packet - Challenge
Initiator DNS
Internet
Responder
R1: Challenge: ”Solve this puzzle”PuzzleESP SA initializationD-H initializationHIResponder
© Ericsson AB 2007 HIP Tutorial M2NM 2007 2007-09-1118
The HIP Base exchangeI2 packet - puzzle solution
Initiator DNS
Internet
Responder
I2: Challenge responsePuzzle solution D-H parametersHIInitiator SPIInitiator
- Solve puzzle- Generate
keying material- Select ESP SPI
© Ericsson AB 2007 HIP Tutorial M2NM 2007 2007-09-1119
The HIP Base exchangeR2 packet - finalizing connection setup
Initiator DNS
Internet
Responder
R2: Connection setup finalization SPIResponder
- Verify puzzle- Generate
keying material- Select ESP SPI
© Ericsson AB 2007 HIP Tutorial M2NM 2007 2007-09-1120
The HIP Base exchange
Initiator DNS
Responder
ESP Security Association
Internet
© Ericsson AB 2007 HIP Tutorial M2NM 2007 2007-09-1121
Security in HIP
The Host Identity is a public key– Prove the ownership using private key– Used for host authentication and setting up HIP association
Traffic protected with IPsec Encapsulating Security Payload (ESP)
– draft-ietf-hip-esp-06 – New IPSec mode, BEET– ESP SA establishment during HIP base exchange– ESP SAs bound to HITs
© Ericsson AB 2007 HIP Tutorial M2NM 2007 2007-09-1122
BEET
A Bound End-to-End Tunnel (BEET) mode for ESP– draft-nikander-esp-beet-mode-07
BEET mode augments the existing ESP tunnel and transport modes.
– end-to-end tunnels– purpose is to provide limited tunnel mode semantics without
the overhead– IP addresses seen by the applications and the IP
addresses used on the wire are distinct from each other
BEET mode is intended to support new uses of ESP– e.g. mobility and multi-address multi-homing
© Ericsson AB 2007 HIP Tutorial M2NM 2007 2007-09-1123
Mobility in HIP
Connections bound to constant Host Identities (HIs)– Mobile host new locator (IP address)
same connection endpoint (HI)
– Connections don’t break Peer host informed of new locator (IP addr.)
– Mobility between IPv4 and IPv6 is supported
© Ericsson AB 2007 HIP Tutorial M2NM 2007 2007-09-1124
HIP updateLocation update
Internet
CN
Location update message:”Hi, I’ve moved to over here”
MN HIP associationestablished
Can also be used for re-keying,with or without mobility
© Ericsson AB 2007 HIP Tutorial M2NM 2007 2007-09-1125
HIP updateReachability test
Internet
CN
Reachability test:”Are you really there?”
MN
© Ericsson AB 2007 HIP Tutorial M2NM 2007 2007-09-1126
HIP updateReachability reply
Internet
CN
Reachability reply:”Yes, I am here”
MN
© Ericsson AB 2007 HIP Tutorial M2NM 2007 2007-09-1127
The Mobility Protocol
MN CNUPDATE: HITs, new locator(s), sig
UPDATE: HITs, RR challenge, sig
ESP protected TCP/UDP, no explicit HIP headerESP protected TCP/UDP, no explicit HIP header
UPDATE: HITs, RR response, sig
© Ericsson AB 2007 HIP Tutorial M2NM 2007 2007-09-1128
Prevention against attacks
HIP prevents against– impersonation attacks
HMAC – quick and cheap verification SIGNATURE
– third party DoS attack (location update) Optional address check – the host is where it is
supposed to be– making DoS expensive for the attacker (BEX)
Initiator needs to solve puzzle
© Ericsson AB 2007 HIP Tutorial M2NM 2007 2007-09-1129
Multihoming
Mobile host has many addresses over time Multi-homed host has many addresses at the same time
The presented mechanism can be used to ADD addresses– multiple locators for reaching a host– connections still bound to HIs
Challenges– source and destination address selection– load balancing– need to mesh SAs to avoid replay window problems– IPsec SAs are symmetrically setup, but asymmetrical groups of
addresses between hosts are possible– updating keying material for a subset of SAs
© Ericsson AB 2007 HIP Tutorial M2NM 2007 2007-09-1130
Multihoming
Mobile host has many addresses over time Multi-homed host has many addresses at the same time
The presented mechanism can be used to ADD addresses– multiple locators for reaching a host– connections still bound to HIs
Challenges– source and destination address selection– load balancing– need to mesh SAs to avoid replay window problems– IPsec SAs are symmetrically setup, but asymmetrical groups of
addresses between hosts are possible– updating keying material for a subset of SAs
© Ericsson AB 2007 HIP Tutorial M2NM 2007 2007-09-1131
Example
MN CN
Access Network #1
AccessNetwork #2
InternetIF1
A Mobile Node (MN) having multipleconnections over multiple interfaces toward asingle correspondent node (CN).
IF2
© Ericsson AB 2007 HIP Tutorial M2NM 2007 2007-09-1132
DNS based initial rendezvous
How to find a moving end-point?– Keys and/or HITs in DNS– IP addresses in DNS– PKI or DNSSEC needed to secure binding from DNS
names to the keys
DNS does not support mobility well– caching– DYNDNS is not considered to be fast enough– Simultaneous movement problem
A separate Rendezvous point is needed
© Ericsson AB 2007 HIP Tutorial M2NM 2007 2007-09-1133
Benefits from using HIP
Operators– More controlled network
Data requires HIP handshake first– Protection against DoS and DDoS– Resilience
Integrated multi-homing No single points of failure
Enterprises– More secure firewalls– Integrated mobility and multi-access
Across IPv4 and IPv6 Individual users
– Supports home servers (NAT traversal)– Configuration free baseline security
© Ericsson AB 2007 HIP Tutorial M2NM 2007 2007-09-1134
Comparison of mobility solutions
Solution Pros Cons
Mobile IP Standard, implemented, available in products, mature
Bottleneck: home agent, only node mobility, IPv4/6 separate
NEMO Standard, implemented Bottleneck: home agent, triangular routing, only IPv6 subnet mobility
SIP Standard, implemented Slow (a lot of signaling), only SIP-based applications
NetLMM PMIP implemented by Cisco Ongoing standardization war, only edge mobility, to start with only IPv6
BGP (Connexion)
Based on standards, implemented by Boeing
A bit slow, only subnet mobility, loads BGP
HIP Experimental standard, IPv6+v4, implemented, incl. Base security
Not on official standards track,requires new infrastructure
Top Related