Professional Documents
Culture Documents
Fayez Al-Shraideh
Networking Laboratory,
Helsinki University of Technology
fayez.al-shraideh@hut.fi / fayez.al-shraideh@nokia.com
Abstract
2. HIP Architecture Overview
Host Identity Protocol (HIP) proposes a new name
space, Host Identity. This name can be any globally 2.1. Host Identity Namespace
unique name but it has been chosen to be the Public
Key of a Public/Private Key pair. Host Identifier (HI) is a name in the Host Identity
This paper can be seen as HIP tutorial since it namespace. The public key of a public/private key pair
provides an insight view on HIP Architecture, HIP is a static globally unique name and it has been chosen
Base Exchange, Encapsulated Security Payload (ESP) by HIP Specification as an HI. Authentication and
Security Association Setup, mobility and multi-homing, protection of man-in-the-middle attacks is possible
and some early experiences about HIP. using a public key based HI. Rivest Shamir Adelman
(RSA) public key algorithm must be supported by all
1. Introduction HIP hosts and the Digital Signature Algorithm (DSA)
should be supported also.
The current Internet is based on two main Host Identity Tag (HIT) is a 128-bit static globally
namespaces, the Domain Name Service (DNS) names unique cryptographic SHA-1 hash over the HI. There
and the Internet Protocol (IP) addresses. DNS are two types of HITs:
namespace has enriched the Internet by helping its • Type one is generated by taking the least
users to use the Internet easier by allowing them to significant 128-bits of the SHA-1 hash of the
specify meaningful names to different services in the HI. The first two bits are modified to make a
network. The role of the DNS is derived from the difference between the HIT and IPv6 address.
difference between humans and computers. • Type two consists of a Host Assigning
IP address namespace describes both the host Authority Field (HAA) concatenated with the
topological location in the network, and the host least significant 64-bits of SHA-1 hash of HI.
identity. The dual operation of the IP address causes The HIT type is defined in both Sender HIT
problems when the host has to change its IP address Type (SHT) and Destination HIT Type (DHT)
due to e.g. mobility. The location information changes, fields in HIP controls. HIT has a fixed length
but it should not affect the identity information of the regardless of the cryptographic algorithm used
host. IP address is overloaded and it has to be only to generate the public key (i.e. HI), and the
locator. A new naming should be defined to act as a usage of HIT will ease protocol encoding.
stable Host Identity to ease up mobility and to make it Local Scope Identifier (LSI) is a 32-bit or a 128-bit
happen in a straightforward manner. [1] local representation of HI. LSI is meant for IPv4 or
Host Identity Protocol (HIP) introduces a separation IPv6 based applications. 32-bit and 128-bit LSIs are
between the host identity and location identity. The IP allocated from a TBD IPv4 subnet and a TBD IPv6
address remains as the locator, while a new namespace subnet, respectively. The low order 24-bits of HIT
is introduced for host identifiers. represent the low order 24-bits of IPv4-compatible
HIP is specified by HIP Working Group at IETF LSI, while The low order TBD-bits of HIT represents
[1], [2], [3], [4], [5], and [6]. the low order TBD-bits of IPv6-compatible LSI.
In the next chapters, I will discuss the HIP
Architecture Overview, more details about HIP as a
Protocol, how HIP can support mobility and multi-
homing, and some experiences about HIP.
Figure 13 shows one mobility scenario for a mobile Mobile Host Peer Host
host that has an active HIP Association with a peer UPDATE(LOC(SPI-IP),SEQ)
host (i.e. HIP Association and ESP SAs negotiated and
created). The Mobile Host moves to another network UPDATE(NES,SEQ,ACK,D-H,ECHO-REQ)
and changes its IP address. So it has to inform the peer
host about this change by an acknowledged HIP
UPDATE packet, and it uses LOCATOR HIP UPDATE(NES,SEQ,ACK,D-H,ECHO-RES)
parameter to specify the inbound SPI-new IP address
association. Peer host will get this UPDATE and UPDATE(ACK)
acknowledge the new change by sending another Figure 15: Readdress with peer-initiated re-
acknowledged HIP UPDATE packet with its inbound keying [4]
SPI, and it will check the address by using the ECHO
mechanism (ECHO-REQUEST/ECHO-REPLY). Figures 16 and 17 show the readdressing scenario
Mobile host will acknowledge this and send the for multi-homed mobile host in the case of one or two
ECHO-REPLY in HIP UPDATE packet. So from now IP addresses change.
on, the new mobile host IP address will be the
destination IP address of IP packets for the inbound SA
and the source IP address for the outbound SA. Multihomed Host Peer Host
UPDATE(LOC(SPI-IP),NES,SEQ,D-H)
UPDATE(ACK,ECHO-RES) UPDATE(ACK,ECHO-RES)
Figure 14: Readdress with mobile-initiated re- Figure 17: Readdress in Basic multihoming
keying [4] (two IP Addresses in LOC) [4]
The message sequence in figures 13, 14, 15, 16, and
17 is based on old HIP specification since it uses some
HIP parameters (i.e. SPI and NES), which are not
present in the latest IETF HIP specification. HIP
Thomas R. Henderson, Jeffrey M. Ahrenholz, and [5] draft-ietf-hip-dns-01, February 20, 2005, Expires:
Jae H. Kim have implemented an experimental HIP August 21, 2005, http://www.ietf.org/internet-
prototype over Linux 2.4 kernel using the FreeS/WAN drafts/draft-ietf-hip-dns-01.txt
IPSec and OpenSSL, and they have published their
[6] draft-ietf-hip-rvs-01, February 18, 2005, Expires:
experience in [9]. August 19, 2005, http://www.ietf.org/internet-
The paper describes problem situations in the drafts/draft-ietf-hip-rvs-01.txt
deployment of the key infrastructure due to that fact
that it is hard for any host to remember all other Hosts [7] RFC3526: More Modular Exponential (MODP) Diffie-
Identities. HIP Specification is proposing DNS to be Hellman groups for Internet Key Exchange (IKE), May
the storage place for all public keys (HIs), but still 2003, http://ietf.org/rfc/rfc3526.txt?number=3526
there is a problem in finding the destination host IP
address if only the destination HI or HIT is known by [8] Sarela, Mikko and Nikander, Pekka, Applying Host
the initiator. Also there are performance and latency Identity Protocol to Tactical Networks.
http://www.tcs.hut.fi/~id/publications/SarelaMilcom200
problems due the frequent DNS update of the mobile 4.pdf
host when it is changing its IP address. RVS server had
been proposed to solve this problem, but this idea is
home agent in mobile IP terminology and this might
not give advantage to HIP over mobile IP.