On Host Identity Protocol

Similar documents
Host Identity Protocol. Miika Komu Helsinki Institute for Information Technology

HIP Host Identity Protocol. October 2007 Patrik Salmela Ericsson

Host Identity Protocol

Host Identity Protocol (HIP): Connectivity, Mobility, Multi-Homing, Security, and Privacy over IPv4 and IPv6

Host Identity Protocol, PLA, and PSIRP

Host Identity Protocol. Host Identity Protocol. Outline. Outline (cont) Host Identity Protocol Why HIP? Host Identity Protocol

Host Identity Protocol (HIP):

Internet Engineering Task Force (IETF) Request for Comments: Ericsson A. Johnston Avaya January 2011

On Protocol Design. T Computer Networks Miika Komu Data Communications Software Group CSE / Aalto University

Internet Engineering Task Force (IETF) January 2014

What is HIP? A brief introduction to the Host Identity Protocol. 5. Aug

Ericsson Research NomadicLab M. Komu Helsinki Institute for Information Technology September 2008

Performance Evaluation and Experiments for Host Identity Protocol

Name based sockets. Javier Ubillos Swedish Institute of Computer Science. Zhongxing Ming Tsinghua University. July 25 th, 2010

Host Identity Indirection Infrastructure Hi 3. Jari Arkko, Pekka Nikander and Börje Ohlman Ericsson Research

Internet Research Task Force (IRTF) Category: Informational. March The Host Identity Protocol (HIP) Experiment Report

Definition of firewall

Secure and Efficient IPv4/IPv6 Handovers Using Host-Based Identifier-Locator Split

Host Identity Protocol

CSC 474/574 Information Systems Security

Internet Engineering Task Force (IETF) July 2011

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

Host Identity Protocol Version 2.5

IPV6 SIMPLE SECURITY CAPABILITIES.

Why do we really want an ID/locator split anyway?

Network Address Translators (NATs) and NAT Traversal

Internet security and privacy

Network Configuration Example

2009/10/01. Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Obsoleted by RFC3596 [7] RFC 1887

Virtual ID: A Technique for Mobility, Multi- Homing, and Location Privacy in Next Generation Wireless Networks

Foreword xxiii Preface xxvii IPv6 Rationale and Features

USING HIP TO SOLVE MULTI-HOMING IN IPV6 NETWORKS

Distributed User Authentication in Wireless LANs

SAVAH: Source Address Validation with Host Identity Protocol

User-Relative Names for Globally Connected Personal Devices

LISP Locator/ID Separation Protocol

CSE543 Computer and Network Security Module: Network Security

Advanced Security and Forensic Computing

Developing ILNP. Saleem Bhatti, University of St Andrews, UK FIRE workshop, Chania. (C) Saleem Bhatti.

Ecient Leap of Faith Security with Host Identity Protocol

IP Mobility vs. Session Mobility

Name based sockets. Javier Ubillos. Swedish Institute of Computer Science. July 25 th, 2010

Advanced Security and Mobile Networks

MILSA: A Mobility and Multihoming Supporting Identifier Locator Split Architecture for Naming in the Next Generation Internet

Internet Engineering Task Force (IETF) Category: Standards Track ISSN: October Host Identity Protocol (HIP) Rendezvous Extension

T Network Application Frameworks and XML Routing and mobility Tancred Lindholm. Based on slides by Sasu Tarkoma and Pekka Nikander

Virtual Private Network

IPv6 support. Chris Mitchell. Program Manager Microsoft Corporation Windows Networking & Communications IPv6

Why IPv6? Roque Gagliano LACNIC

WiNG 5.x How-To Guide

Stateful Network Address Translation 64

IPv6 Transition Mechanisms

NAT Examples and Reference

Workshop on HIP and Related Architectures Workshop Overview November 6, 2004 Tom Henderson, Pekka Nikander, and Scott Shenker

Evolving the Internet Architecture Through Naming

Secure Networking with NAT Traversal for Enhanced Mobility

NAT Examples and Reference

T Computer Networks II. Mobility Issues Contents. Mobility. Mobility. Classifying Mobility Protocols. Routing vs.

Configuring OpenVPN on pfsense

Internet Engineering Task Force (IETF) Category: Standards Track. J. Arkko Ericsson February Host Multihoming with the Host Identity Protocol

IPsec NAT Transparency

Mapping of Address and Port Using Translation

Network Working Group. Intended status: Standards Track Expires: September 2, 2018 March 1, 2018

CyberP3i Course Module Series

Flexible Dynamic Mesh VPN draft-detienne-dmvpn-00

Release Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

Performance of Host Identity Protocol on Lightweight Hardware

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

CSE/EE 461: Introduction to Computer Communications Networks Autumn Module 9

Configuring FlexVPN Spoke to Spoke

Installation & Configuration Guide Version 1.6

Chapter 5.6 Network and Multiplayer

Introduction to Firewalls using IPTables

Implementation Guide - VPN Network with Static Routing

A Multihoming based IPv4/IPv6 Transition Approach

IPv6 Transition Mechanisms

Radware ADC. IPV6 RFCs and Compliance

Fundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin,

Boeing HIP Secure Mobile Architecture - update

Virtual Private Networks (VPN)

INTRODUCTION TO HOST IDENTITY PROTOCOL (HIP) AND

Hands-On TCP/IP Networking

COMPUTER NETWORK SECURITY

Dockercon 2017 Networking Workshop

ETSF05/ETSF10 Internet Protocols Network Layer Protocols

Realtime Multimedia in Presence of Firewalls and Network Address Translation. Knut Omang Ifi/Oracle 9 Nov, 2015

Introduction to IPv6. Stig Venaas, UNINETT /18/2001

Design and Evaluation of Host Identity Protocol (HIP) Simulation Framework for INET/OMNeT++

Tik Network Application Frameworks. IPv6. Pekka Nikander Professor (acting) / Chief Scientist HUT/TML / Ericsson Research NomadicLab

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

Cisco IOS IPv6. Cisco IOS IPv6 IPv6 IPv6 service provider IPv6. IPv6. data link IPv6 Cisco IOS IPv6. IPv6

Release Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

Mobility Through Naming: Impact on DNS

Parts of a Network. app. router. link. host. Computer Networks 2

ILNP: a whirlwind tour

Independent Local Locator Substrate Indirection Transport ILLSIT

MTA_98-366_Vindicator930

Component Function Example

Configuration Guide. How to connect to an IPSec VPN using an iphone in ios. Overview

Separating Friends from Spitters

Transcription:

On Host Identity Protocol Miika Komu <miika@iki.fi> Data Communications Software Group Dep. of Computer Science and Engineering School of Science Aalto University 17.10.2011

Table of Contents Introduction Naming and Layering Control Plane Data Plane

Introduction

Motivation Why do I need screen for IRC session? Why Youtube video stops when I switch from 3G to WLAN? Why do I need to pinhole my NAT box to reach my home server? Why do I use SSH instead of telnet? Why do we have NFSv4? Why do we passwords for WLAN?

Identity-Locator Split Identity-locator split separates the who from where Application and transport layer sees the who Network layer sees where Benefits of id-loc split Realized e.g. in HIP, LISP, SHIM6 Isolates upper layers from network changes Useful for mobile devices Disadvantage: indirection introduces complexity

Benefits of Host Identity Protocol Protects and/or authenticates application data IPsec or S-RTP can be used IPv4 applications can talk to IPv6 apps Mobility and multihoming for transport layer Works in IPv4 and IPv6 networks End-to-end NAT traversal Connect to home server without pinholing Backwards compatible TCP, UDP, IPv4, IPv6, ICMP(v6)

Drawbacks of Host Identity Protocol Additional complexity New layer of indirection New namespace to manage (e.g. reverse look up) Security is transparent How does application or user know when connection is secured? TCP is still the bottleneck Suspending of laptop for hours disconnects TCP Is it too late? Generic architecture Specific solutions exist (MobileIP, VPN, SSH, etc)

HIP Standardization Work split to two working groups Internet Engineering Task Force (IETF) Internet Research Task Force (IRTF) RFC5201-5201, RFC4423, RFC5338 Experimental track Moving to standards track (see bis drafts) Major change in RFC5201 Cryptoagility

Naming and Layering

Layering in Naming in HIP User Interface Application Layer Transport Layer HIP Layer Network Layer FQDN HIT (or LSI), port and proto HIT, port HI IP address

Non-HIP vs. HIP Socket Bindings P r o c e s s S o c k e t P r o c e s s S o c k e t E n d p o i n t E n d p o i n t H o s t I d e n t i t y D y n a m i c B i n d i n g L o c a t i o n I P a d d r e s s L o c a t i o n I P a d d r e s s

APIs Application Layer Application Socket Layer IPv4 API IPv6 API HIP API Transport Layer TCP UDP HIP Layer HIP Network Layer IPv4 IPv6 Link Layer Ethernet

Client-Side Name Look Up Example 1. getaddrinfo(hostname) DNS 2. hostname 3. <HIT, IP> Application 7. connect(hit) 6. HIT Resolver or DNS Proxy 5. 4. <HIT, IP> Socket Layer Transport HIP IPsec Network 8. base exchange Peer Host 9. ESP protected application data

Implemeting Name Translation #1 LD_PRELOAD getaddrinfo() #2 Local DNS Proxy #2a Snoop DNS requests with iptables #2b Substitute nameserver in /etc/resolv.conf #3 No changes to DNS interaction Implement lower in the stack (opp. mode) Implemented in a router (HIP proxy)

GUI / End-user Firewall An optional GUI can be used for managing all collecting HITs HIP is visible to the user (but not application) The GUI can prompt the user to accept incoming or outgoing connections Similar to end-user firewalls Screenshot from HIPL

Control Plane

I N I T I A T O R The Base Exchange I1 : trigg er base ex chan ge R 1 : p u z z le, D - H, k e y, sig n a tu r e I2 : puzzle solution, D -H, key, sig nature R 2 : sig n a tu r e R E S P O N D E R

Opportunistic Mode I1 sent to an unknown HIT Less secure than normal HIP Leap of faith (like in SSH) Subsequent connections can be cached Does not require public keys in DNS Convenient for Service registration HIP-aware applications HIP anycast Problematic for NAT traversal

Handover (UPDATE) M N C N 1 ) U P D : E S P _ I N F O, L O C A T O R, S E Q [, D - H ] 3 ) [ c r e a t e S A ] 2 ) U P D : E S P _ I N F O, A C K, S E Q, E _ R Q [, D - H ] 4 ) U P D : E S P _ I N F O, E _ R S 5 ) [ c r e a t e S A ]

Native NAT Traversal using HIP HIP Relay Server Initiator 1. base exchange with locators Responder N A T 3. connectivity tests 4. ESP N A T 2. pair up locators pair up locators 2. ESP Relay Server

Native NAT Traversal vs. Teredo Teredo pros Plenty of free Teredo servers available No changes to the HIP implementation Teredo cons Servers that do full relay cost Teredo requires an IPv6 application (without HIP) In windows, a socket option in the app Patented by Microsoft

IPv4-IPv6 Interoperability At the network layer Identity-locator split hides the underlying access technology from applications Cross-family handovers from IPv4 to IPv6 and vice versa are trivial (not available in MobileIP) At the application layer HITs for applications requesting IPv6 LSIs for applications requesting IPv4 IPv4 apps can talk with IPv6 apps!

Data Plane

HIP and IPsec Currently BEET mode ESP is the default HIP supports negotiating others (e.g S-RTP) Implemented in the Linux and BSD kernel Linux and Windows can use userspace impl. Public-key protected data plane (hiccups) Avoids the base exchange and use of IPsec Data protected with public-key signatures Switch to IPsec by sending an R1

HIP Proxy Proxy support on an intermediary host No changes at client and/or server side Similar to VPN gateways Can be implemented on different layers ARP level proxy (see Tofino security product) IP level proxy (supported by several HIP s/w) HTTP proxy (HIP between the client and proxy) Can use different naming or routing methods Normal or opportunistic mode Normal IP routing or overlays (e.g. Tofino)

Cool HIP Extensions HIP is too fat? RFID version of HIP HIP Diet Exchange PISA Wifi Sharing Mobile proxy Authenticates people sharing WLANs with HIP Handover delegation to a middlebox HIP-based Virtual Private LAN service Connects transparently separate networks

Questions? Miika Komu <miika@iki.fi> Documentation and software for HIPL: http://hipl.hiit.fi/ Interested in contributing? Contact us: https://launchpad.net/hipl Other two HIP implementations: http://www.openhip.org/ http://www.hip4inter.net/

Literature 1/3 RFC5201-5206 RFC4423, Host Identity Protocol Architecture, Moskowitz et al, May 2006 RFC5338: Using the Host Identity Protocol with Legacy Applications, Henderson et al, Sep 2008 Integrating Mobility, Multi-homing and Security in a HIP way, Pekka Nikander et al, Feb 2003 Using DNS as an Access Protocol for Mapping Identifiers to Locators, Ponomarev et al, November 2007 RCF6317: Basic Socket Interface Extensions to Host Identity Protocol, Komu et al, Jul 2011

Literature 2/3 Overview and Comparison Criteria for Host Identity Protocol and Related Technologies, Koponen et al, Feb 2005 Leap-of-faith security is Enough for IP mobility, Komu et al, Jan 2009 HIP-based Virtual Private LAN, Henderson et al, Sep 2011 Enterprise Network Packet Filtering for Mobile Cryptographic Identities, Janne Lindqvist et al, June 2007 Native NAT Traversal Mode for HIP, Keränen et al, Jan 2011 Host Identity Protocol (HIP), Connectivity, Mobility, Multihoming, Security and Privacy over IPv4 and IPv6 Networks, Nikander et al, 2010

Literature 3/3 Secure and Efficient IPv4/IPv6 Handovers using Host-based Identifier-Locator Split, Varjonen et al, September 2009 RFC6078: HIP Immediate Carriage and Conveyance of Upper- Layer Protocol Signaling (hiccups), Nikander et al, Jan 2011 Host Identity Protocol Proxy, Salmela et al, Nov 2007 Backwards Compatibility Experimentation with Host Identity Protocol and Legacy Software and Networks, master thesis, Finez, Dec 2008 HIP Support for RFIDs, Urien et al, Nov 2010 HIP Diet Exchange, Moskowitz, Jan 2011 HIP-based Mobile Proxy, Melen et al, Aug 2009

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback