hip research group activities and roadmap · pdf filehip research group activities and roadmap...
TRANSCRIPT
![Page 1: HIP Research Group Activities and Roadmap · PDF fileHIP Research Group Activities and Roadmap Pekka Nikander, Ericsson Research Nomadic Lab Tom Henderson, Boeing Phantom Works](https://reader031.vdocuments.net/reader031/viewer/2022022422/5a9d726e7f8b9abd058d40f8/html5/thumbnails/1.jpg)
HIP Research GroupActivities and Roadmap
Pekka Nikander, Ericsson Research Nomadic LabTom Henderson, Boeing Phantom Works
![Page 2: HIP Research Group Activities and Roadmap · PDF fileHIP Research Group Activities and Roadmap Pekka Nikander, Ericsson Research Nomadic Lab Tom Henderson, Boeing Phantom Works](https://reader031.vdocuments.net/reader031/viewer/2022022422/5a9d726e7f8b9abd058d40f8/html5/thumbnails/2.jpg)
Presentation outline
• HIP in a nutshell
• A potential HIP roadmap
• Current activities
• Concluding remarks
2
• Positioning and WG work
• RG deployment plan
• RG work
![Page 3: HIP Research Group Activities and Roadmap · PDF fileHIP Research Group Activities and Roadmap Pekka Nikander, Ericsson Research Nomadic Lab Tom Henderson, Boeing Phantom Works](https://reader031.vdocuments.net/reader031/viewer/2022022422/5a9d726e7f8b9abd058d40f8/html5/thumbnails/3.jpg)
Presentation outline
• HIP in a nutshell
• What is HIP?
• A brief history of HIP
• Motivation; related WGs and RGs
• WG work summary
• A potential HIP roadmap
• Current activities
• Concluding remarks
3
![Page 4: HIP Research Group Activities and Roadmap · PDF fileHIP Research Group Activities and Roadmap Pekka Nikander, Ericsson Research Nomadic Lab Tom Henderson, Boeing Phantom Works](https://reader031.vdocuments.net/reader031/viewer/2022022422/5a9d726e7f8b9abd058d40f8/html5/thumbnails/4.jpg)
What is HIP?
• HIP = Host Identity Protocol
• A proposal to separate identifier from locator at the network layer of the TCP/IP stack
• A new name space of public keys
• A protocol for discovering and authenticating bindings between public keys and IP addresses
• Secured using signatures and keyed hashes
4
![Page 5: HIP Research Group Activities and Roadmap · PDF fileHIP Research Group Activities and Roadmap Pekka Nikander, Ericsson Research Nomadic Lab Tom Henderson, Boeing Phantom Works](https://reader031.vdocuments.net/reader031/viewer/2022022422/5a9d726e7f8b9abd058d40f8/html5/thumbnails/5.jpg)
5
IP addr
• A new Name Space of Host Identifiers (HI)
• Public crypto keys!
• Presented as 128-bit long hash values, Host ID Tags (HIT)
• Sockets bound to HIs, not to IP addresses
• HIs translated to IP addresses in the kernel
The Idea
Process
Transport
IP layer
Link layer
IP address
< , port>
Host Identity Host ID
Host ID
![Page 6: HIP Research Group Activities and Roadmap · PDF fileHIP Research Group Activities and Roadmap Pekka Nikander, Ericsson Research Nomadic Lab Tom Henderson, Boeing Phantom Works](https://reader031.vdocuments.net/reader031/viewer/2022022422/5a9d726e7f8b9abd058d40f8/html5/thumbnails/6.jpg)
IP layer
Fragmentation
More detailed layering
6
Link Layer
Forwarding
IPsec
Transport LayerEnd-to-end,
HITs
Hop-by-hop, IP addresses
HIP
Mobility
Multi-homing
v4/v6 bridge
![Page 7: HIP Research Group Activities and Roadmap · PDF fileHIP Research Group Activities and Roadmap Pekka Nikander, Ericsson Research Nomadic Lab Tom Henderson, Boeing Phantom Works](https://reader031.vdocuments.net/reader031/viewer/2022022422/5a9d726e7f8b9abd058d40f8/html5/thumbnails/7.jpg)
7
Base exchange
Initiator Responder
I1 HITI, HITR or NULL
R1 HITI, [HITR, puzzle, DHR, HIR]sig
I2 [HITI, HITR, solution, DHI, {HII}]sig
R2 [HITI, HITR, authenticator]sigUser data messages
solve puzzle
verify, authenticate
draft-ietf-hip-base-02.txt, draft-jokela-hip-esp-00.txt
• Based on SIGMA family of key exchange protocols
![Page 8: HIP Research Group Activities and Roadmap · PDF fileHIP Research Group Activities and Roadmap Pekka Nikander, Ericsson Research Nomadic Lab Tom Henderson, Boeing Phantom Works](https://reader031.vdocuments.net/reader031/viewer/2022022422/5a9d726e7f8b9abd058d40f8/html5/thumbnails/8.jpg)
8
Other core components
• Per-packet identity context
• Indirectly, through SPI if ESP (or SRTP) is used
• Directly, e.g., through an explicit shim header
• A mechanism for resolving identities to addresses
• DNS-based, if FQDNs used by applications
• Or distributed hash tables (DHTs) based
![Page 9: HIP Research Group Activities and Roadmap · PDF fileHIP Research Group Activities and Roadmap Pekka Nikander, Ericsson Research Nomadic Lab Tom Henderson, Boeing Phantom Works](https://reader031.vdocuments.net/reader031/viewer/2022022422/5a9d726e7f8b9abd058d40f8/html5/thumbnails/9.jpg)
9
A Brief History of HIP
• 1999 : idea discussed briefly at the IETF
• 2001: two BoFs, no WG created at that time
• 02-03: development in the corridors
• 2004: WG and RG created
• Now: base protocol more or less ready• Four interoperating implementations
• More work needed on mobility, multi-homing,NAT traversal, infrastructure, and other issues
![Page 10: HIP Research Group Activities and Roadmap · PDF fileHIP Research Group Activities and Roadmap Pekka Nikander, Ericsson Research Nomadic Lab Tom Henderson, Boeing Phantom Works](https://reader031.vdocuments.net/reader031/viewer/2022022422/5a9d726e7f8b9abd058d40f8/html5/thumbnails/10.jpg)
Motivation
10
• Not to standardise a solution to a problem
• No explicit problem statement
• Exploring the consequences of the id / loc split
• Try it out in real life, in the live Internet
• A different look at many problems
• Mobility, multi-homing, end-to-end security, signalling, control/data plane separation, rendezvous, NAT traversal, firewall security, ...
![Page 11: HIP Research Group Activities and Roadmap · PDF fileHIP Research Group Activities and Roadmap Pekka Nikander, Ericsson Research Nomadic Lab Tom Henderson, Boeing Phantom Works](https://reader031.vdocuments.net/reader031/viewer/2022022422/5a9d726e7f8b9abd058d40f8/html5/thumbnails/11.jpg)
Motivating architectural factors
11
• A “reachability” solution across NATs
• New “waist” for the protocol stack
• Built-in security
• Implicit channel bindings
• connect(HIT) provides a secured connection to the identified host
• Puzzle-based DoS protection
• Integrated mobility and end-host multi-homing
![Page 12: HIP Research Group Activities and Roadmap · PDF fileHIP Research Group Activities and Roadmap Pekka Nikander, Ericsson Research Nomadic Lab Tom Henderson, Boeing Phantom Works](https://reader031.vdocuments.net/reader031/viewer/2022022422/5a9d726e7f8b9abd058d40f8/html5/thumbnails/12.jpg)
12
nsrg
ID/loc split
Related WGs and RGs
Mobilitymip6mip4mipshop
Security
ipsec
mobike
btns
multi6
tsvwg(sctp)
shim6
Multi-homing
hip
![Page 13: HIP Research Group Activities and Roadmap · PDF fileHIP Research Group Activities and Roadmap Pekka Nikander, Ericsson Research Nomadic Lab Tom Henderson, Boeing Phantom Works](https://reader031.vdocuments.net/reader031/viewer/2022022422/5a9d726e7f8b9abd058d40f8/html5/thumbnails/13.jpg)
13
WG summary
• HIP WG is chartered to produce experimental RFCs:
• Base protocol, use of ESP
• Mobility and multi-homing
• DNS resource record(s)
• Registration protocol, (simple) rendezvous server
• However, we need to understand the implications of deploying HIP on a large scale
• Changes to hosts and host management
• Additional network infrastructure
• This latter topic is the focus of the HIP RG
![Page 14: HIP Research Group Activities and Roadmap · PDF fileHIP Research Group Activities and Roadmap Pekka Nikander, Ericsson Research Nomadic Lab Tom Henderson, Boeing Phantom Works](https://reader031.vdocuments.net/reader031/viewer/2022022422/5a9d726e7f8b9abd058d40f8/html5/thumbnails/14.jpg)
Presentation outline
• HIP in a nutshell
• A potential HIP roadmap
• Initial exploration
• Early infrastructure
• Enhanced Infrastructure
• Early markets: HIP as a vertical solution
• Current activities
• Concluding remarks
14
![Page 15: HIP Research Group Activities and Roadmap · PDF fileHIP Research Group Activities and Roadmap Pekka Nikander, Ericsson Research Nomadic Lab Tom Henderson, Boeing Phantom Works](https://reader031.vdocuments.net/reader031/viewer/2022022422/5a9d726e7f8b9abd058d40f8/html5/thumbnails/15.jpg)
Initial exploration
• Pair-wise host-to-host deployment
• e.g. my laptop and my personal server
• HITs typically stored in /etc/hosts 192.0.2.1 myserver
43bc:4521:4933:956c:3445:956d:ed23:3420 myserver
• Initial public test servers in the Internet
• hipserver.hiit.fi
15
![Page 16: HIP Research Group Activities and Roadmap · PDF fileHIP Research Group Activities and Roadmap Pekka Nikander, Ericsson Research Nomadic Lab Tom Henderson, Boeing Phantom Works](https://reader031.vdocuments.net/reader031/viewer/2022022422/5a9d726e7f8b9abd058d40f8/html5/thumbnails/16.jpg)
Initial exploration
myserver
mylaptop
hipserver.hiit.fi
Client side NAT
![Page 17: HIP Research Group Activities and Roadmap · PDF fileHIP Research Group Activities and Roadmap Pekka Nikander, Ericsson Research Nomadic Lab Tom Henderson, Boeing Phantom Works](https://reader031.vdocuments.net/reader031/viewer/2022022422/5a9d726e7f8b9abd058d40f8/html5/thumbnails/17.jpg)
Initial exploration: Requirements
17
• Host:
• Install HIP on the host operating system
• Linux: HIPL or Boeing HIP
• BSD: HIP4BSD (FreeBSD; MacOS X soon)
• Windows: Boeing HIP (cygwin based)
• Configure HITs in /etc/hosts
• Configure applications to refer to HITs
• Network: none
![Page 18: HIP Research Group Activities and Roadmap · PDF fileHIP Research Group Activities and Roadmap Pekka Nikander, Ericsson Research Nomadic Lab Tom Henderson, Boeing Phantom Works](https://reader031.vdocuments.net/reader031/viewer/2022022422/5a9d726e7f8b9abd058d40f8/html5/thumbnails/18.jpg)
Initial exploration: Benefits
• End-to-end security between client and server
• Trust based on static configuration
• Client mobility and multi-homing
• Even across IPv4 / IPv6 boundaries
• IPv4 / IPv6 API-level interoperability
• Protection against CPU / memory DoS attacks
• Soon: Client-side NAT traversal
• For plain client–server TCP / UDP protocols
18
![Page 19: HIP Research Group Activities and Roadmap · PDF fileHIP Research Group Activities and Roadmap Pekka Nikander, Ericsson Research Nomadic Lab Tom Henderson, Boeing Phantom Works](https://reader031.vdocuments.net/reader031/viewer/2022022422/5a9d726e7f8b9abd058d40f8/html5/thumbnails/19.jpg)
19
Initial exploration: Challenges
• Per-host management of a new name space
• Policy configuration
• Semantics for unsuccessful handshakes
• Management of keys and address bindings
• Privacy management
• Address resolution from HIT to IP address without any infrastructure
• Must be explicitly configured
![Page 20: HIP Research Group Activities and Roadmap · PDF fileHIP Research Group Activities and Roadmap Pekka Nikander, Ericsson Research Nomadic Lab Tom Henderson, Boeing Phantom Works](https://reader031.vdocuments.net/reader031/viewer/2022022422/5a9d726e7f8b9abd058d40f8/html5/thumbnails/20.jpg)
Early infrastructure
• Pair-wise deployment between early adopters
• e.g. my laptop and your experimental server
• Store HITs in the DNS as AAAA RRs
• Look like non-routable IPv6 addresses
• Returned as the last entry in an RR set
• Experimental rendezvous (Hi3) at PlanetLab
• Infrastructure for passing HIP packets
20
![Page 21: HIP Research Group Activities and Roadmap · PDF fileHIP Research Group Activities and Roadmap Pekka Nikander, Ericsson Research Nomadic Lab Tom Henderson, Boeing Phantom Works](https://reader031.vdocuments.net/reader031/viewer/2022022422/5a9d726e7f8b9abd058d40f8/html5/thumbnails/21.jpg)
Early infrastructure
yourserver
mylaptop
RendezvousDNS
Data packetsHIP pa
cket
s
Server side NAT
Client side NAT
![Page 22: HIP Research Group Activities and Roadmap · PDF fileHIP Research Group Activities and Roadmap Pekka Nikander, Ericsson Research Nomadic Lab Tom Henderson, Boeing Phantom Works](https://reader031.vdocuments.net/reader031/viewer/2022022422/5a9d726e7f8b9abd058d40f8/html5/thumbnails/22.jpg)
Early infrastructure: Requirements
22
• Host:
• No new significant requirements
• Maybe an update of the HIP software
• Infrastructure on the network:
• Store HITs to DNS as AAAA records
• Install experimental rendezvous servers
• Routers and NATs:
• no changes
![Page 23: HIP Research Group Activities and Roadmap · PDF fileHIP Research Group Activities and Roadmap Pekka Nikander, Ericsson Research Nomadic Lab Tom Henderson, Boeing Phantom Works](https://reader031.vdocuments.net/reader031/viewer/2022022422/5a9d726e7f8b9abd058d40f8/html5/thumbnails/23.jpg)
Early infrastructure: (Additional) benefits
23
• Opportunistic security between participants
• Perhaps build trust with DNSSEC
• Simultaneous mobility; i.e., mobile servers
• Increases the cost of some flooding DoS attacks
• Potential attacker needs to solve the HIP puzzle before getting the real IP address
• NAT traversal for both client and server
• Unlikely to work for symmetric NATs
![Page 24: HIP Research Group Activities and Roadmap · PDF fileHIP Research Group Activities and Roadmap Pekka Nikander, Ericsson Research Nomadic Lab Tom Henderson, Boeing Phantom Works](https://reader031.vdocuments.net/reader031/viewer/2022022422/5a9d726e7f8b9abd058d40f8/html5/thumbnails/24.jpg)
Enhanced infrastructure
• Internet-wide experimental deployment
• Stable rendezvous service
• Store HITs in the DNS using new RRs
• Benefits as before but larger audience
• Results to be reported in HIP RG experiment report
• Input to the IETF community
24
![Page 25: HIP Research Group Activities and Roadmap · PDF fileHIP Research Group Activities and Roadmap Pekka Nikander, Ericsson Research Nomadic Lab Tom Henderson, Boeing Phantom Works](https://reader031.vdocuments.net/reader031/viewer/2022022422/5a9d726e7f8b9abd058d40f8/html5/thumbnails/25.jpg)
Markets take over:HIP on selected vertical markets
• Potential markets
• Multi-homed road warriors
• Operations and management
• Military or dual-use systems
• High-availability systems
• Mobile public networks
• e.g., municipal 802.11 networks
25
![Page 26: HIP Research Group Activities and Roadmap · PDF fileHIP Research Group Activities and Roadmap Pekka Nikander, Ericsson Research Nomadic Lab Tom Henderson, Boeing Phantom Works](https://reader031.vdocuments.net/reader031/viewer/2022022422/5a9d726e7f8b9abd058d40f8/html5/thumbnails/26.jpg)
Presentation outline
• HIP in a nutshell
• A potential HIP roadmap
• Current activities
• NAT traversal or layer 3.5 connectivity
• Upper layer identifiers
• Hi3 and other DHT-based rendezvous
• Separating control and data traffic
• Concluding remarks
26
![Page 27: HIP Research Group Activities and Roadmap · PDF fileHIP Research Group Activities and Roadmap Pekka Nikander, Ericsson Research Nomadic Lab Tom Henderson, Boeing Phantom Works](https://reader031.vdocuments.net/reader031/viewer/2022022422/5a9d726e7f8b9abd058d40f8/html5/thumbnails/27.jpg)
NAT traversal
• Legacy NAT traversal
• Apply ideas from STUN/ICE/STUNT... to HIP
• UDP tunneling
• Short term solution with a clear exit strategy
• SPI-NAT or architected NAT
• Make NAT aware of HIP messages
• Allow servers to register at the NAT
• Learn mappings for HITs and ESP SPIs
27
![Page 28: HIP Research Group Activities and Roadmap · PDF fileHIP Research Group Activities and Roadmap Pekka Nikander, Ericsson Research Nomadic Lab Tom Henderson, Boeing Phantom Works](https://reader031.vdocuments.net/reader031/viewer/2022022422/5a9d726e7f8b9abd058d40f8/html5/thumbnails/28.jpg)
Upper layer identifiers
• Backward compatible APIs
• Current APIs form a major legacy asset
• HIP allows almost all applications to continue unmodified (no recompilation required)
• Q: Use HITs / IP addrs / both as the ULID?
• New APIs
• Host vs. Session vs. Service identifiers?
• Using delegation?
28
![Page 29: HIP Research Group Activities and Roadmap · PDF fileHIP Research Group Activities and Roadmap Pekka Nikander, Ericsson Research Nomadic Lab Tom Henderson, Boeing Phantom Works](https://reader031.vdocuments.net/reader031/viewer/2022022422/5a9d726e7f8b9abd058d40f8/html5/thumbnails/29.jpg)
29
Hi3 and DHT-based rendezvous
ID R
i3 overlay basedrendezvous infra
![Page 30: HIP Research Group Activities and Roadmap · PDF fileHIP Research Group Activities and Roadmap Pekka Nikander, Ericsson Research Nomadic Lab Tom Henderson, Boeing Phantom Works](https://reader031.vdocuments.net/reader031/viewer/2022022422/5a9d726e7f8b9abd058d40f8/html5/thumbnails/30.jpg)
Separating control and data
• Originally HIP was tightly bound to ESP, using ESP as the data encapsulation protocol
• ESP split from the base specification
• Allow other encapsulations in the future
• Maybe even plain TCP / UDP w/ null encaps
• Fast / slow path separation at middle boxes
• Optionally different locators for control / data
30
![Page 31: HIP Research Group Activities and Roadmap · PDF fileHIP Research Group Activities and Roadmap Pekka Nikander, Ericsson Research Nomadic Lab Tom Henderson, Boeing Phantom Works](https://reader031.vdocuments.net/reader031/viewer/2022022422/5a9d726e7f8b9abd058d40f8/html5/thumbnails/31.jpg)
Summary
• HIP WG producing components for experimental deployment:
• base protocol, ESP, mobility & multi-homing, DNS, registration, rendezvous
• HIP RG preparing for real life experiments
• On-going RG work items:
• NAT, ULIDs and APIs, Hi3 / DHT based rendezvous, separation of control and data
31
![Page 32: HIP Research Group Activities and Roadmap · PDF fileHIP Research Group Activities and Roadmap Pekka Nikander, Ericsson Research Nomadic Lab Tom Henderson, Boeing Phantom Works](https://reader031.vdocuments.net/reader031/viewer/2022022422/5a9d726e7f8b9abd058d40f8/html5/thumbnails/32.jpg)
Concluding remarks
• Base protocol ready for early exploration
• Interoperating OSS implementations available
• Open questions looking for answers
• Impact: on hosts, routers, other infra
• Architectural questions: ULIDs, resolution, separation of control and data, ...
• New functionality: DDoS protection, moving networks, MANETs, ...
32