Host Identity Protocol

1
Host Identity Protocol
Presenter Linyan Liu
October 12, 2005
Advisor Dr. Chung-E Wang
Department of Computer Science
California State University, Sacramento
2
Outline

• Introduction (what,why and how)
• Architecture
• The host layer protocol and base exchange
• Mobility and Multi-homing
• Implementation and Socket API Interface
• HIP DNS extension
• Overall picture

3
What is HIP

• A multi-addressing and mobility solution for the
  Internet
• Also a security protocol for authentication and
  encryption
• Add a new layer to separate transport and network
  layers
• The new layers maps host identifiers to network
  address and vice visa

4
What is HIP (contd)

• A public key is used to identify an end-host
• A 128-bit host identify tag (HIT) is used for
  system call
• HIT is a hash on public key and has a global
  scope
• A 32-bit local scope identifier (LSI) is used
  for IPv4 compatibility

5
Why is HIP needed

• To overcome the shortcoming of existing Internet,
  namely
• The dual role of IP as both host identifier and
  locator
• The lack of security with IP
• To make end-host mobility and multi-homing very
  easy to implement

6
How it works

• HIP introduces a new layer called host identity
  layer between transport and network layers
• HIP uses base exchange to perform authentication
  and establish session keys before communication.
• Communication data are protected using IPsec ESP
• HIP provides a readdressing mechanism to support
  IP changes with mobility and multi-homing

7
The Architecture
8
The Architecture (contd)

• A new layer is added to separate transport layer
  from the network layer
• Transport layer communication is bound to host
  identity instead of IP
• The binding between host identity and IP is
  dynamic and can have a one-to-many relationship
• A host layer protocol is developed to make HIP
  work

9
The Host Layer Protocol

• a signal protocol between the communicating
  end-points
• Perform mutual end-to-end authentication and to
  create IPsec ESP Security Associations to be used
  for integrity protection and encryption
• Perform reachability verification
• Consists of 7 message types, four of which are
  dedicated to the base exchange

10
Base Exchange
11
Base Exchange (contd)

• Step 1 Initiator (I) sends the first I1 packet,
  which contains own HIT and the HIT of the
  responder to the responder (R)
• Step 2 R relies with message R1, which contains
  the HITs of I and itself as well as a puzzle
  based challenge for I to solve
• Step 3 I solves the puzzle and sends in I2 the
  HITs of itself and R as well as the solution to
  the puzzle, and performs the authentication
• Step 4 R now commits itself to the
  communication, and respond with HITs of I and
  itself, and performs the authentication.
• After this, I and R have performed the mutual
  authentication and established Security
  Associations for ESP

12
Mobility
A host can change its attachment point to the
Internet without affecting on-going communication
13
Mobility With HIP

• HIP provides dynamic binding between a Host ID
  and IP addresses.
• A mobile node sends REA (readdressing) package to
  its peer to inform the change of address
• The peer verifies the reachbility of the mobile
  node with the new address

14
Mobility With HIP (contd)
Changing address is as easy as sending a
readdressing message
15
Multi-homing
A host can have multiple network interfaces
16
Multi-homing With HIP

• HIP provides one-to-many binding between a Host
  ID and IP
• A multi-homing can send a series of available
  address to its peer and designate a preferred
  address
• The peer host can choose communication address
  in case failover or based on load balance
  consideration
• An update message is enough to make it work

17
Multi-homing with HIP(contd)
Switch from preferred address (1) to the second
address with HIP
18
HIP Implementation

• Involves kernel level programming since the host
  layer protocol works under the transport layer
• Only base exchange is implemented in a HIPL
  project
• HIP is implemented as a kernel module, which uses
  a user space daemon for cryptographic operations

19
Network Socket API

• A new protocol constant, PF_HIP, is introduced to
  HIP API design, which is comparable to
  conventional AF_INT family
• HIP API introduces little changes to the
  interface syntax of the fundamental socket API
  functions such as bind, connect, send, sendmsg,
  recv, recvfrom and recvmsg.
• A new resolver function was introduced,
  getendpointinfo, which is similar to getaddrinfo
  in conventional TCP/IP programming.

20
The Resolver
The resolver find ltHI, IPgt from DNS and passed
that info to the HIP layer to start base exchange
21
HIP DNS Extension

• Two resource records are introduced to DNS and
  used by HIP nodes.
• The HIP-HI record allows a HIP node to store its
  HI and or HIT
• The HIP-RVS records allows a HIP node to store
  its Rendezvous Servers FQDN or IP addresses
• Provide implicit HI ? IP mapping through FQDN ?
  HI and FQDN ? IP

22
The Overall Picture
Above the HI Layer, communication use HI for
identity
Below the HI layer, HI is replaced by IP for
routing
23
Conclusions

• HIP adds a layer between the transport and the
  network layers, thus separate the dual role of IP
  as both host identifier and locator
• HIP supports IP change over time with ease and
  without disrupting communications
• HIP provides strong endpoint authentication and
  communication encryption.

24
Thank you !