1 / 24

Host Identity Protocol

Host Identity Protocol. Presenter: Linyan Liu. October 12, 2005. Advisor: Dr. Chung-E Wang. Department of Computer Science. California State University, Sacramento. Outline. Introduction (what,why and how) Architecture The host layer protocol and base exchange Mobility and Multi-homing

chiara
Download Presentation

Host Identity Protocol

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Host Identity Protocol Presenter: Linyan Liu October 12, 2005 Advisor: Dr. Chung-E Wang Department of Computer Science California State University, Sacramento

  2. Outline • Introduction (what,why and how) • Architecture • The host layer protocol and base exchange • Mobility and Multi-homing • Implementation and Socket API Interface • HIP DNS extension • Overall picture

  3. What is HIP • A multi-addressing and mobility solution for the Internet • Also a security protocol for authentication and encryption • Add a new layer to separate transport and network layers • The new layers maps host identifiers to network address and vice visa

  4. What is HIP (cont’d) • A public key is used to identify an end-host • A 128-bit host identify tag (HIT) is used for system call • HIT is a hash on public key and has a global scope • A 32-bit local scope identifier (LSI) is used for IPv4 compatibility

  5. Why is HIP needed • To overcome the shortcoming of existing Internet, namely • The dual role of IP as both host identifier and locator • The lack of security with IP • To make end-host mobility and multi-homing very easy to implement

  6. How it works • HIP introduces a new layer called host identity layer between transport and network layers • HIP uses base exchange to perform authentication and establish session keys before communication. • Communication data are protected using IPsec ESP • HIP provides a readdressing mechanism to support IP changes with mobility and multi-homing

  7. The Architecture

  8. The Architecture (cont’d) • A new layer is added to separate transport layer from the network layer • Transport layer communication is bound to host identity instead of IP • The binding between host identity and IP is dynamic and can have a one-to-many relationship • A host layer protocol is developed to make HIP work

  9. The Host Layer Protocol • a signal protocol between the communicating end-points • Perform mutual end-to-end authentication and to create IPsec ESP Security Associations to be used for integrity protection and encryption • Perform reachability verification • Consists of 7 message types, four of which are dedicated to the base exchange

  10. Base Exchange

  11. Base Exchange (cont’d) • Step 1: Initiator (I) sends the first I1 packet, which contains own HIT and the HIT of the responder to the responder (R) • Step 2: R relies with message R1, which contains the HITs of I and itself as well as a puzzle based challenge for I to solve • Step 3: I solves the puzzle and sends in I2 the HITs of itself and R as well as the solution to the puzzle, and performs the authentication • Step 4: R now commits itself to the communication, and respond with HITs of I and itself, and performs the authentication. • After this, I and R have performed the mutual authentication and established Security Associations for ESP

  12. Mobility A host can change its attachment point to the Internet without affecting on-going communication

  13. Mobility With HIP • HIP provides dynamic binding between a Host ID and IP addresses. • A mobile node sends REA (readdressing) package to its peer to inform the change of address • The peer verifies the reachbility of the mobile node with the new address

  14. Mobility With HIP (cont’d) Changing address is as easy as sending a readdressing message

  15. Multi-homing A host can have multiple network interfaces

  16. Multi-homing With HIP • HIP provides one-to-many binding between a Host ID and IP • A multi-homing can send a series of available address to its peer and designate a preferred address • The peer host can choose communication address in case failover or based on load balance consideration • An update message is enough to make it work

  17. Multi-homing with HIP(cont’d) Switch from preferred address (1) to the second address with HIP

  18. HIP Implementation • Involves kernel level programming since the host layer protocol works under the transport layer • Only base exchange is implemented in a HIPL project • HIP is implemented as a kernel module, which uses a user space daemon for cryptographic operations

  19. Network Socket API • A new protocol constant, PF_HIP, is introduced to HIP API design, which is comparable to conventional AF_INT family • HIP API introduces little changes to the interface syntax of the fundamental socket API functions such as bind, connect, send, sendmsg, recv, recvfrom and recvmsg. • A new resolver function was introduced, getendpointinfo, which is similar to getaddrinfo in conventional TCP/IP programming.

  20. DNS b. <FQDN> c. <HI, addresses> a. <FQDN > Application Resolver f. <ED> d. <HI, addresses> e.<ED> Socket Layer Transport HIP Ipsec Network The Resolver The resolver find <HI, IP> from DNS and passed that info to the HIP layer to start base exchange

  21. HIP DNS Extension • Two resource records are introduced to DNS and used by HIP nodes. • The HIP-HI record allows a HIP node to store its HI and or HIT • The HIP-RVS records allows a HIP node to store its Rendezvous Server’s FQDN or IP addresses • Provide implicit HI  IP mapping through FQDN  HI and FQDN  IP

  22. The Overall Picture Above the HI Layer, communication use HI for identity Below the HI layer, HI is replaced by IP for routing

  23. Conclusions • HIP adds a layer between the transport and the network layers, thus separate the dual role of IP as both host identifier and locator • HIP supports IP change over time with ease and without disrupting communications • HIP provides strong endpoint authentication and communication encryption.

  24. Thank you !

More Related