host identity protocol
play

Host Identity Protocol Updated Feb 23, 2005 Pekka Nikander - PowerPoint PPT Presentation

May 06, 2023 •149 likes •713 views

Host Identity Protocol Updated Feb 23, 2005 Pekka Nikander Ericsson Research Nomadiclab and Helsinki Institute for Information Technology http://www.hip4inter.net Presentation outline Background HIP in a Nutshell Mobility and

  1. Host Identity Protocol Updated Feb 23, 2005 Pekka Nikander Ericsson Research Nomadiclab and Helsinki Institute for Information Technology http://www.hip4inter.net

  2. Presentation outline • Background • HIP in a Nutshell • Mobility and multi-homing (multi-addressing) • HIP infrastructure • Current status • Summary 2

  3. Presentation outline • Background • HIP in a Nutshell • Mobility and multi-homing (multi-addressing) • HIP infrastructure • Current status • Summary 3

  4. Background • A brief history of HIP • Architectural background • Related IETF Working Groups 4

  5. A Brief History of HIP • 1999 : idea discussed briefly at the IETF • 2001: two BoFs, no WG created at that time • 02-03: development at the corridors • 2004: WG and RG created • Now: base protocol more or less ready • Four interoperating implementations • More work needed on mobility, multi-homing, NAT traversal, infrastructure, and other issues 5

  6. Architectural background • IP addresses serve the dual role of being • End-point Identifiers • Names of network interfaces on hosts • Locators • Names of naming topological locations • This duality makes many things hard 6

  7. New requirements to Internet Addressing • Mobile hosts • Need to change IP address dynamically • Multi-interface hosts • Have multiple independent addresses • Mobile, multi-interface hosts most challenging • Multiple, dynamically changing addresses • More complex environment • e.g. local-only connectivity 7

  8. Related IETF WGs and RGs Mobility Multi-homing mip6 mip4 mipshop multi6 shim6 mobike hip ipsec btns nsrg Security ID/loc split 8

  9. Presentation outline • Background • HIP in a Nutshell • Mobility and multi-homing (multi-addressing) • HIP infrastructure • Current status • Summary 9

  10. HIP in a Nutshell • Architectural change to TCP/IP structure • Integrates security, mobility, and multi-homing • Opportunistic host-to-host IPsec ESP • End-host mobility, across IPv4 and IPv6 • End-host multi-address multi-homing, IPv4/v6 • IPv4 / v6 interoperability for apps • A new layer between IP and transport • Introduces cryptographic Host Identifiers 10

  11. The Idea • A new Name Space of Process Host Identifiers (HI) • Public crypto keys! Host ID < , port> IP addr Transport • Presented as 128-bit long hash values, Host ID Host Identity Host ID Tags (HIT) • Sockets bound to HIs, IP address IP layer not to IP addresses • HIs translated to IP Link layer addresses in the kernel 11

  12. An analogy: What if people were hosts Connect to Connect whoever happens to to be at +1-123-456-7890 Current IP HIP 12

  13. More detailed layering Transport Layer End-to-end, HITs IP layer v4/v6 bridge IPsec Multi-homing HIP Fragmentation Mobility Forwarding Hop-by-hop, IP addresses Link Layer 13

  14. Protocol overview Responder Initiator I1: HITI, HITR or NULL R1: HITI, [HITR, puzzle, DHR, HIR]sig Control I2: [HITI, HITR, solution, DHI, {HII}]sig R2: [HITI, HITR, authenticator]sig User data messages Data 14

  15. How applications work today (when IPsec ESP is used) DNS query IP DNS server DNS Client app Server app library DNS reply connect(IP S ) IKE IKE socket API socket API TCP SYN TCP SYN to IP S from IP C IPsec IPsec IPsec IPsec ESP protected TCP SYN SPD SAD to IPaddr S SAD SPD 15

  16. Using HIP with ESP DNS query HIT DNS server DNS Client app Server app library DNS reply HIT - - - - - > {IP addresses} connect(HIT S ) HIP daemon HIP daemon socket API socket API TCP SYN TCP SYN to HIT S from HIT C IPsec IPsec IPsec IPsec ESP protected TCP SYN SPD SAD to IPaddr S SAD SPD convert IP addresses to HITs convert HITs to IP addresses 16

  17. Many faces • More established views: • A different IKE for simplified end-to-end ESP • Super Mobile IP with v4/v6 interoperability and dynamic home agents • A host multi-homing solution • Newer views: • New waist of IP stack; universal connectivity • Secure carrier for signalling protocols 17

  18. HIP as the new waist of TCP/IP v4 app v6 app v4 app v6 app TCPv4 TCPv6 TCPv4 TCPv6 Host identity Host identity IPv4 IPv6 IPv4 IPv6 Link layer Link layer 18

  19. HIP for universal connectivity • Goal: • Lowest layer providing location-independent identifiers and end-to-end connectivity • Work in progress: • Support for traversing legacy NATs • Firewall registration and authentication • Architected middleboxes or layer 3.5 routing • Identity-based connectivity with DHTs 19

  20. Signalling carrier • Originally HIP supported only ESP-based user data transport (previous slides) • ESP is now being split from the base protocol • Base protocol is becoming a secure carrier for any kinds of signalling • Support for separate signalling and data paths • Implicitly present in the original design • Now being made more explicit 20

  21. Presentation outline • Background • HIP in a Nutshell • Mobility and multi-homing (multi-addressing) • HIP infrastructure • Current status • Summary 21

  22. Introduction to IP based mobility and multi-homing • Mobility implemented at “lP layer” • IP addresses are assigned according to topology • Allows for routing prefix aggregation • Mobile hosts change their topological location • Multi-homed hosts present at many locations • In an IP based m&m solution • Transport & apps do not see address changes or multiple addresses 22

  23. Rendezvous • Initial rendezvous • How to find a moving end-point? • Can be based on directories • Requires fast directory updates → Bad match for DNS • Tackling double-jump • What if both hosts move at same time? • Requires rendezvous point 23

  24. Mobile IP • Home Agent (HA) HA • Serves a Home Address MN • Initial reachability • Triangular routing • Route optimization • Tunnels to bypass HA • HA as rendezvous point CN 24

  25. Two types of IP multi-homing Routing based Multi-addressing 192.1.1.0/24 193.2.1.0/24 192.1.1.0/24 25

  26. Multi-addressing dimensions Multi- end-host SoHo site enterprise homing multihoming multihoming multihoming moving, ad hoc multi-homed networks networks end-host Moving networks Mobility mobility (NEMO) One Single Parts of All host subnet topology hosts 26

  27. HIP Mobility & Multi-homing • Mobility and multi-homing become duals of each other • Mobile host has many addresses over time • Multi-homed host has many addresses at the same time • Leads to a Virtual Interface Model • A host may have real and virtual interfaces • Merges the “Home Agent” 27

  28. Virtual interface model 28

  29. Mobility protocol Corresponding Mobile UPDATE: HITs, new locator(s), sig UPDATE: HITs, RR challenge, sig ESP from MN to CN UPDATE: HITs, RR response, sig ESP on both directions 29

  30. Presentation outline • Background • HIP in a Nutshell • Mobility and multi-homing (multi-addressing) • HIP infrastructure • Current status • Summary 30

  31. Key distribution for HIP • Depends on application • For multi-addressing, self-generated keys DNS server • Usually keys in the DNS • Can use PKI if needed DNS query: DNS reply: A, AAAA, KEY A, AAAA, KEY • Opportunistic mode supported • SSH-like leap-of-faith Client app • Accept a new key if it matches a fingerprint 31

  32. HIP registration protocol Client Server I1 R1 + REG_INFO I2 + REG_REQUEST R2 + REG_RESPONSE 32

  33. Basic HIP rendezvous Rendezvous server Rendezvous registration I1 R1 R2 I2 Server Client 33

  34. The infrastructure question • HIs originally planned to be stored in the DNS • Retrieved simultaneously with IP addresses • Does not work if you have only a HIT • Question: How to get data based on HIT only? • HITs look like 128-bit random numbers • Possible answer: DHT based overlay like i 3 34

  35. Distributed Hash Tables • Distributed directory for flat data • Several different ways to implement • Each server maintains a partial map • Overlay addresses to direct to the right server • Resilience through parallel, unrelated mappings • Used to create overlay networks 35

  36. Rendezvous abstraction • Trigger inserted by receiver(s) • Packets addressed to identifiers • i 3 routes packet to the receiver(s) send(R, data) send(ID, data) Sender trigger Receiver (R) ID R 36

  37. Hi 3 : combining HIP and i3 • Developed at Ericsson Research IP Networks • Uses i 3 overlay for HIP control packets • Provides rendezvous for HIP • Data packets use plain old IP • Cryptographically protected with ESP • Only soft or optional state in the network 37

  38. Hi 3 overlay and IP-based connectivity i 3 overlay based control plane IP-based user plane 38

  39. Control/data separation ID R 39

  40. Control / data separation • i 3 overlay for signalling (control plane) • Identity-based routing for HIP • E2E IPsec ESP for data traffic • Firewalls opened dynamically • Only end-to-end signalling (HIP) • Middle boxes “snoop” e2e messages 40

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Performance of Host Identity Protocol on Performance of Host Identity Protocol on Lightweight

Performance of Host Identity Protocol on Performance of Host Identity Protocol on Lightweight

Performance of Host Identity Protocol on Performance of Host Identity Protocol on Lightweight Hardware Lightweight Hardware Andrey Khurri, Ekaterina Vorobyeva, Andrei Gurtov Helsinki Institute for Information Technology

346 views • 23 slides
Response Identity in Session Initiation Protocol draft-cao-sip-response-identity-00 Feng Cao

Response Identity in Session Initiation Protocol draft-cao-sip-response-identity-00 Feng Cao

Response Identity in Session Initiation Protocol draft-cao-sip-response-identity-00 Feng Cao Cullen Jennings 1 Agenda Introduction Scope Requirements SIP Response Identity Overview Open Issues Summary 2

205 views • 9 slides
Backplane &amp; Identity Scenario A widget collaboration protocol for identity sharing Vlad

Backplane &amp; Identity Scenario A widget collaboration protocol for identity sharing Vlad

Backplane &amp; Identity Scenario A widget collaboration protocol for identity sharing Vlad Skvortsov - Echo Johnny Bufu - Janrain Brian McGinnis - Janrain Backplane http://backplanespec.com Example authentication workflow with

204 views • 7 slides
ECE 650 Systems Programming &amp; Engineering Spring 2018 Dynamic Host Configuration Protocol

ECE 650 Systems Programming &amp; Engineering Spring 2018 Dynamic Host Configuration Protocol

ECE 650 Systems Programming &amp; Engineering Spring 2018 Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) Tyler Bletsch Duke University Slides are adapted from Brian Rogers (Duke) Dynamic Host Configuration Protocol

722 views • 25 slides
Using DNS for Mapping Using DNS for Mapping Host Identifiers to Locators Host Identifiers to

Using DNS for Mapping Using DNS for Mapping Host Identifiers to Locators Host Identifiers to

Using DNS for Mapping Using DNS for Mapping Host Identifiers to Locators Host Identifiers to Locators Oleg Ponomarev 24 March 2009 IETF74, San Francisco OUTLINE OUTLINE Current situation Storage conventions Usage HOST IDENTITY

225 views • 18 slides
Identity Management Scaling Out and Up Jan Pazdziora Principal Software Engineer Identity

Identity Management Scaling Out and Up Jan Pazdziora Principal Software Engineer Identity

Identity Management Scaling Out and Up Jan Pazdziora Principal Software Engineer Identity Management Engineering, Red Hat jpazdziora@redhat.com 15 th October 2014 Identity Users; user groups. Hosts; host groups; services. Identities

700 views • 18 slides
Secure Scuttlebutt: An Identity-Centric Protocol for Subjective and Decentralized Applications

Secure Scuttlebutt: An Identity-Centric Protocol for Subjective and Decentralized Applications

Secure Scuttlebutt: An Identity-Centric Protocol for Subjective and Decentralized Applications Dominic Tarr (SSB, New Zealand) Erick Lavoie (McGill University, Montreal) Aljoscha Meyer (TU Berlin, Germany) Christian Tschudin (U of

501 views • 18 slides
IRP - the Identity Registration Protocol LAWRENCE E. HUGHES CO-FOUNDER AND CTO SIXSCAPE

IRP - the Identity Registration Protocol LAWRENCE E. HUGHES CO-FOUNDER AND CTO SIXSCAPE

IRP - the Identity Registration Protocol LAWRENCE E. HUGHES CO-FOUNDER AND CTO SIXSCAPE COMMUNICATIONS, PTE. LTD. LHUGHES@SIXSCAPE.COM The IPv4 Internet is Broken By the mid- 1990s we realized that public IPv4 addresses would run out

393 views • 12 slides
Anonymity with Identity Escrow Aybek Mukhamedov and Mark Ryan The University of Birmingham March

Anonymity with Identity Escrow Aybek Mukhamedov and Mark Ryan The University of Birmingham March

Anonymity with Identity Escrow Aybek Mukhamedov and Mark Ryan The University of Birmingham March 30, 2006 Outline Anonymity 1 Anonymity with identity escrow 2 Marshall and Molina-Jiminez protocol 3 Our protocol 4 Verification in

567 views • 20 slides
Host Identity Indirection Infrastructure Hi 3 Jari Arkko, Pekka Nikander and Brje Ohlman

Host Identity Indirection Infrastructure Hi 3 Jari Arkko, Pekka Nikander and Brje Ohlman

Host Identity Indirection Infrastructure Hi 3 Jari Arkko, Pekka Nikander and Brje Ohlman Ericsson Research Presentation outline Motivation Background Secure i 3 Hi 3 Summary 2 Hi 3 motivation Question: How to get

457 views • 21 slides
What is Blockpass? Blockpass is a blockchain identity protocol for the connected world - the

What is Blockpass? Blockpass is a blockchain identity protocol for the connected world - the

What is Blockpass? Blockpass is a blockchain identity protocol for the connected world - the Internet of Everything. The goal of Blockpass is global realization of identity for the Internet of Everything. Through the use of blockchain

300 views • 25 slides
UCSB Identity and LDAP The central campus directory and authentication system UCSB Identity

UCSB Identity and LDAP The central campus directory and authentication system UCSB Identity

UCSB Identity and LDAP The central campus directory and authentication system UCSB Identity System UCSBnetID authentication UCSB-wide student and employee info http://www.identity.ucsb.edu/ LDAP Overview Lightweight Directory Access Protocol

604 views • 24 slides
Modelling and Analysing an Identity Federation Protocol: Federated Network Providers Scenario

Modelling and Analysing an Identity Federation Protocol: Federated Network Providers Scenario

Modelling and Analysing an Identity Federation Protocol: Federated Network Providers Scenario Maurice ter Beek (FMT, ISTICNR, Pisa, Italy) joint work with Marinella Petrocchi (IITCNR, Pisa, Italy) Corrado Moiso (Telecom Italia, Torino,

559 views • 28 slides
Identity Management Hannes Tschofenig Motivation OAuth was created to allow secure and

Identity Management Hannes Tschofenig Motivation OAuth was created to allow secure and

Identity Management Hannes Tschofenig Motivation OAuth was created to allow secure and privacy friendly sharing of data. OAuth is not an authentication protocol. Works with any user authentication protocol (e.g., OATH, FIDO, W3C

613 views • 10 slides
MOBILE COMPUTING CSE 40814/60814 Fall 2015 Dynamic Host Configuration Protocol Application

MOBILE COMPUTING CSE 40814/60814 Fall 2015 Dynamic Host Configuration Protocol Application

11/15/15 MOBILE COMPUTING CSE 40814/60814 Fall 2015 Dynamic Host Configuration Protocol Application simplification of installation and maintenance of networked computers supplies systems with all necessary information, such as IP

421 views • 28 slides
What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i

What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i

What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i -Key-Protocol, i = 1, 2, 3, Family of protocols Secure electronic payment Based on credit card payments Christopher Hsu Can be extended

407 views • 4 slides
Network Access for Remote Users Dr John S. Graham ULCC j.graham@ulcc.ac.uk Review of

Network Access for Remote Users Dr John S. Graham ULCC j.graham@ulcc.ac.uk Review of

Network Access for Remote Users Dr John S. Graham ULCC j.graham@ulcc.ac.uk Review of Technologies Remote Site Private Leased Lines Kilostream or Megastream Circuits LES ISDN EPS9 ISP Remote User

957 views • 21 slides
Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1415/ Chapter 16: 1 Chapter

Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1415/ Chapter 16: 1 Chapter

Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1415/ Chapter 16: 1 Chapter 16: Communications Security Chapter 16: 2 Agenda Threat model Secure tunnels Protocol design principles IPsec SSL/TLS EAP

695 views • 48 slides
Network Infrastructure Security APRICOT 2005 Workshop February 18-20, 2005 Merike Kaeo

Network Infrastructure Security APRICOT 2005 Workshop February 18-20, 2005 Merike Kaeo

Network Infrastructure Security APRICOT 2005 Workshop February 18-20, 2005 Merike Kaeo merike@doubleshotsecurity.com Agenda (Day 2) Securing Data Traffic Packet Filters Encryption (IPsec vs SSL) Logging Information What to

1.38k views • 114 slides
What's New with SELinux Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance

What's New with SELinux Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance

What's New with SELinux Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance Research Laboratory National Security Agency National Information Assurance Research Laboratory 1 Advances in SELinux Deploying new

440 views • 25 slides
Routerlab: Tunneling Thorben Kr uger original slides by Philipp S. Tiesel and Franziska

Routerlab: Tunneling Thorben Kr uger original slides by Philipp S. Tiesel and Franziska

Overview L2/L3/L4 VPN Other tunneling technologies Routerlab: Tunneling Thorben Kr uger original slides by Philipp S. Tiesel and Franziska Lichtblau June 1, 2016 1 / 27 Overview L2/L3/L4 VPN Other tunneling technologies Overview 1

663 views • 27 slides
Port Restricted IP Address Assignment draft-bajko-v6ops-port-restricted-ipaddr-assign Gabor

Port Restricted IP Address Assignment draft-bajko-v6ops-port-restricted-ipaddr-assign Gabor

Port Restricted IP Address Assignment draft-bajko-v6ops-port-restricted-ipaddr-assign Gabor Bajko (Nokia) Teemu Savolainen (Nokia) Softwires WG meeting @ IETF#73 1 Intended usage scenarios Managed and tightly controlled networks

371 views • 11 slides
Networking Friday Four Square! Outside Gates, 4:15PM Computer Networks Computer networks

Networking Friday Four Square! Outside Gates, 4:15PM Computer Networks Computer networks

Networking Friday Four Square! Outside Gates, 4:15PM Computer Networks Computer networks allow us to get amazing things done. Sharing knowledge (Wikipedia, Khan Academy, etc.) Solving huge problems (folding@home, SETI, etc.)

714 views • 42 slides
User Perceptions of Do Not Track Aleecia M. McDonald aleecia @ aleecia.com

User Perceptions of Do Not Track Aleecia M. McDonald aleecia @ aleecia.com

User Perceptions of Do Not Track Aleecia M. McDonald aleecia @ aleecia.com http://www.aleecia.com Online User Study of Expectations for Do Not Track Mechanical Turk online study currently running - Multiple preliminary pilot studies -

266 views • 8 slides

More recommend