What is HIP? A brief introduction to the Host Identity Protocol. 5. Aug 2010. Holger.Zuleger@hnet.de



Similar documents
IPv6-Only. Now? Sites. Deutscher IPv6 Kongress June 6/7, 2013 Fr ankfur t /Ger many. Holger.Zuleger@hznet.de

STRESS TESTING OF HOST IDENTITY PROTOCOL (HIP) IMPLEMENTATIONS

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Network Security. Lecture 3

Protocol Security Where?

Securing IP Networks with Implementation of IPv6

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Introduction to Security and PIX Firewall

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

Network Security Part II: Standards

Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku

APPLYING HOST IDENTITY PROTOCOL TO TACTICAL NETWORKS

Mobile Internet Protocol v6 MIPv6

Building scalable IPSec infrastructure with MikroTik. IPSec, L2TP/IPSec, OSPF

Understanding the Cisco VPN Client

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

This chapter describes how to set up and manage VPN service in Mac OS X Server.

DirectAccess in Windows 7 and Windows Server 2008 R2. Aydin Aslaner Senior Support Escalation Engineer Microsoft MEA Networking Team

Security Engineering Part III Network Security. Security Protocols (II): IPsec

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Network Security Fundamentals

ETSF10 Part 3 Lect 2

Internet Protocol Security IPSec

VPN. VPN For BIPAC 741/743GE

Virtual Private Networks

Internetwork Security

Cisco TelePresence Video Communication Server Basic Configuration (Control with Expressway)

Lecture 17 - Network Security

IP Security. Ola Flygt Växjö University, Sweden

Secure Remote Monitoring of the Critical System Infrastructure. An Application Note from the Experts in Business-Critical Continuity

Use Domain Name System and IP Version 6

Configuration Guide. How to establish IPsec VPN Tunnel between D-Link DSR Router and iphone ios. Overview

(d-5273) CCIE Security v3.0 Written Exam Topics

Release Notes. NCP Secure Entry Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3. Known Issues

Corporate VPN Using Mikrotik Cloud Feature. By SOUMIL GUPTA BHAYA Mikortik Certified Trainer

Viewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355

Using IKEv2 on Juniper Networks Junos Pulse Secure Access Appliance

Configure IPSec VPN Tunnels With the Wizard

IETF IPv6 Request for Comments (RFCs) Updated

FortiOS Handbook IPsec VPN for FortiOS 5.0

IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Application Note: Onsight Device VPN Configuration V1.1

Joe Davies Principal Writer Windows Server Documentation

21.4 Network Address Translation (NAT) NAT concept

VPNs. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Funkwerk UTM Release Notes (english)

Outline. INF3510 Information Security. Lecture 10: Communications Security. Communication Security Analogy. Network Security Concepts

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

Lecture 10: Communications Security

Part III-b. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Branch Office VPN Tunnels and Mobile VPN

Security of IPv6 and DNSSEC for penetration testers

Security Considerations for Intrinsic Monitoring within IPv6 Networks: Work in Progress

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Telepresence in an IPv6 World. Simplify the Transition

IPsec Details 1 / 43. IPsec Details

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

Chapter 4 Virtual Private Networking

Using IPSec in Windows 2000 and XP, Part 2

This section provides a summary of using network location profiles to identify network connection types. Details include:

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

Release Notes. NCP Secure Entry Mac Client. Major Release 2.01 Build 47 May New Features and Enhancements. Tip of the Day

Virtual Private Network VPN IPSec Testing: Functionality Interoperability and Performance

The VPNaaS Plugin for Fuel Documentation

LECTURE 4 NETWORK INFRASTRUCTURE

Cisco Expressway Basic Configuration

BorderWare Firewall Server 7.1. Release Notes

Configuring GTA Firewalls for Remote Access

VoIP Security. Seminar: Cryptography and Security Michael Muncan

CCNA Security 1.1 Instructional Resource

FortiOS Handbook - IPsec VPN VERSION 5.2.4

CS 4803 Computer and Network Security

What s New in Fireware XTM v11.5.1

Advanced IPSec with GET VPN. Nadhem J. AlFardan Consulting System Engineer Cisco Systems

Cisco EXAM Implementing Cisco IP Telephony and Video, Part 2 (CIPTV2) Buy Full Product.

TABLE OF CONTENTS NETWORK SECURITY 2...1

Virtual Private Networks

The BANDIT Products in Virtual Private Networks

Chapter 10. Network Security

Internet Security Architecture

Firewalls und IPv6 worauf Sie achten müssen!

Firewall Troubleshooting

Chapter 8 Virtual Private Networking

Telematics. 9th Tutorial - IP Model, IPv6, Routing

Implementing Cisco IOS Network Security

Site to Site Virtual Private Networks (VPNs):

Configuring L2TP over IPsec

1. Introduction to DirectAccess. 2. Technical Introduction. 3. Technical Details within Demo. 4. Summary

Basic IPv6 WAN and LAN Configuration

SonicOS Enhanced 3.2 IKE Version 2 Support

Transcription:

What is HIP? A brief introduction to the Host Identity Protocol 5. Aug 2010 Holger.Zuleger@hnet.de 2001:10:2010:0729:07:02:10:18 Holger Zuleger 2001:db8::13:1 > c

Host Identity Protocol (RFC 5201) Yet another locater/identifier split mechanism PIP, ILNP, IPNL, TRRP, APT, GSE/8+8, Shim6, LISP(+ALT), MOBIKE, GLI-Split Host based approach Some others are networ k based (like LISP) Enables multihoming Mobility IPv4 and IPv6 Uses public key as identifier Or a hash of it Adds a new namespace Domain Name (User), HIT (Identifier), { IPv4 address IPv6 address } (Locator) Simple key exchange protocol for IPsec 2001:10:2010:0729:07:02:10:21 Holger Zuleger 2001:db8::13:2

Locater / Identifier IP address is used as Identifier and Locater Identifier OS nedds a way to bind incoming ip packets to application Both ends use 5-tuple as endpoint identifier On IP address change the connection go stale Locator Prefix aggregation needed on AS boundary Just a handful prefixes in IPv6 per AS Size of default free zone (DFZ) (IPv4: 350000; IPv6: 3500) Tier-1 ISP-A 2001:db8:A::/32 ISP-B 2001:db8:B::/32 2001:10:2010:0729:07:02:10:24 Holger Zuleger 2001:db8::13:3

Locater / Identifier IP address is used as Identifier and Locater Identifier OS nedds a way to bind incoming ip packets to application Both ends use 5-tuple as endpoint identifier On IP address change the connection go stale Locator Prefix aggregation needed on AS boundary Just a handful prefixes in IPv6 per AS Size of default free zone (DFZ) (IPv4: 350000; IPv6: 3500) Tier-1 ISP-A 2001:db8:A::/32 ISP-B 2001:db8:B::/32 Mobile Host 2001:10:2010:0729:07:02:10:24 Holger Zuleger 2001:db8::13:3

Locater / Identifier IP address is used as Identifier and Locater Identifier OS nedds a way to bind incoming ip packets to application Both ends use 5-tuple as endpoint identifier On IP address change the connection go stale Locator Prefix aggregation needed on AS boundary Just a handful prefixes in IPv6 per AS Size of default free zone (DFZ) (IPv4: 350000; IPv6: 3500) Tier-1 ISP-A 2001:db8:A::/32 ISP-B 2001:db8:B::/32 Mobile Host 2001:db8:A:d::4 2001:db8:B:f3::4 Multi Homed Host 2001:10:2010:0729:07:02:10:24 Holger Zuleger 2001:db8::13:3

Host Identifier and HIT A host identifier is the public part of an asymetr ic key (RSA or DSA) Size of identifier depends on key length / algorithm Representation depends on key algor ithm A more generalized presentation would be more handy The host identity tag (HIT) is the hash of the host identifier AHIT is the 128 bit representation of a host identifier Constant length Same size as an IPv6 address Fits in a socket data structure used by the ker nel Could be represented as an (reserved) IPv6 address Over lay Routable Cryptographic Hash Identifier (ORCHID) The ORCHID prefix used is 2001:0010::/28 (RFC4843) Legacy applications can use the HIT instead of an IPv6 address 2001:10:2010:0729:07:02:10:27 Holger Zuleger 2001:db8::13:4

HIP Session Setup Base exchange Just 4 packets to initiate a HIP session Initator (Client) i1 r1 i2 r2 Responder (Ser ver) Makes HIP DoS resilient puzzle question/answer in r1/i2 message Diffie-Hellman Key Exchange In r1, i2 packets Authentication In i2, r2 packets Protocol number 139 has been assigned to HIP Extended Exchange for IP address registration/update For mobile/multihomed hosts Diet Exchange (DEX) under discussion (draft-moskowitz-hip-rg-dex-02)) good to be used by sensor devices or for mac layer secur ity 2001:10:2010:0729:07:02:10:30 Holger Zuleger 2001:db8::13:5

HIP and DNS HIP can use DNS to map hostnames (FQDN) to a HIP identity Client queries for HIP record in addition to an A and/or AAAA record HIP RR provides three types of infor mation a. The HIP identity, which is the public part of an asymetr ic key b. The HIT (host identity tag), which is a hash of the Hi c. Optional a rendezvous server (for mobile hosts) Example RR (Mobile Host) xt5.hznet.de. IN HIP ( 2 2001001781381AE2B2BC542EEEE53CAB AwEAAb1SN58eG29jZcY8HO2HPQXh6UIfSMvFF+4BM8n S/Za6s2yRU0+wvSMXOHGShe6E3RD2t7uKF9cbsSz4JU 5J8YP2/DpJREEGR3AWBXVVcLUq06xS3XmePOvck/oQZ HtNzjRjy11ey5KiH7O6jDwJBXfGuUcpsiI7qHTzu8tJ Va8n max.hznet.de. ) DNSSEC is necessary for secure binding between FQDN and HIT 2001:10:2010:0729:07:02:10:33 Holger Zuleger 2001:db8::13:6

And now to something completely different... The Root Zone is signed since 15. July 2010 20:50 UTC 2001:10:2010:0729:07:02:10:36 Holger Zuleger 2001:db8::13:7

HIP Test Server HIP and DNS (2) crossroads.infrahip.net. HIP ( 2 2001001BA9BEC6A634E58361C07FA990 AwEAAcp2OIA68skk+yPtU+UBtvScsntTvknaaXMPmJi 4OG2N+yszHOm/DWN7GyYZDPPsUURYWu6r3u7pzIub7J rwxdpyeliczmr++d0enki9nus1bpdfgeqtgcu0obf1k +wrtaxaqaf64rmsp/l666bezwftvwygfiqzrjncrfwn hvt5 ) crossroads.infrahip.net. AAAA 2001:708:140:220::7 crossroads.infrahip.net. A 193.167.187.134 Mobile Host xt5.hznet.de. IN HIP ( 2 2001001781381AE2B2BC542EEEE53CAB AwEAAb1SN58eG29jZcY8HO2HPQXh6UIfSMvFF+4BM8n S/Za6s2yRU0+wvSMXOHGShe6E3RD2t7uKF9cbsSz4JU 5J8YP2/DpJREEGR3AWBXVVcLUq06xS3XmePOvck/oQZ HtNzjRjy11ey5KiH7O6jDwJBXfGuUcpsiI7qHTzu8tJ Va8n max.hznet.de. ) max.hznet.de. IN A 213.239.204.36 max.hznet.de. IN AAAA 2001:6f8:900:2af::2 2001:10:2010:0729:07:02:10:39 Holger Zuleger 2001:db8::13:8

HIP Mobility Mobile host needs rendezvous server (RVS) for initial reachability Mobile host register his current locator (ip address) at RVS Rendezvous server name is (optional) part of HIP DNS record Locator hint HIP initiator (client) sends first packet of HIP base exchange to RVS RVS forwards the packet to the host (if host is actually registered) client i1 r1 i2 r2 RVS i1 Mobile Host register Mobile host uses HIP base exchange to register his address at RVS Mobile Host send update packet to client if IP address is changing RVS has to be infor med as well (Proposal to send UPDATE/CLOSE via RVS) 2001:10:2010:0729:07:02:10:42 Holger Zuleger 2001:db8::13:9

HIP as a key exchange protocol Similar to ISAKMP/IKE Disadvantages (Limitations) Only transpor t mode available Because HIP is for end to end communication this is intended Only one SA per host More than one SA possible (e.g. one HI per application) but unusual Not the same granular ity like ISAKMP No AH, just ESP mode (but with null encryption) Advantages Just 4 packets needed to authenticate peer and exchange key mater ial Same as IKEv2 No certificates needed HIP uses key as identifier No binding between key and identifier (ip address) necessary 2001:10:2010:0729:07:02:10:45 Holger Zuleger 2001:db8::13:10

HIP and IPsec ESP HIP uses IPsec ESP to carry the data traffic (RFC5202) Pair of SA is bound to Host Identifier; SPI is used as index into SA table No need to transfer the host identifier within each packet Both endpoints have a local database for mapping of SPI to host identifier Other mechanism possible but not yet defined Only 2 transfor ms mandator y AES with SHA-1 and Null encryption IP addresses could be changed in between a session HIP UPDATE message to infor m peer Rekeying allowed dur ing ip address change Protocol change possible (IPv4 IPv6) but not defined yet Good for mobility MIPv6 no longer needed Session persistence because ip address is no longer used as identifier 2001:10:2010:0729:07:02:10:48 Holger Zuleger 2001:db8::13:11

Applications of HIP Host Mobility Even on different transpor t protocols (IPv4/IPv6) Multihoming Ser ver load balancing / High Availability Shared HI on clustered servers End-to-end Security Firewall rules based on Host identifier Firewall for mobile users Long term session persistence SSH, IMAP Continuous media streaming (Voice/Video) over different L3 networ ks mobile / fixed convergence Apples Back tomymac Kerberos, TSIG, TLS, IPsec, DDNS, DNS-SD, DNS Push, NAT Traversal IPv6 ULA used as Identifer,... 2001:10:2010:0729:07:02:10:51 Holger Zuleger 2001:db8::13:12

RFC References 4423 Host Identity Protocol Architecture (May 2006) 5201 Host Identity Protocol (April 2008) 5202 Using the Encapsulating Security Payload Transpor t Format with HIP 5205 Host Identity Protocol (HIP) Domain Name System (DNS) Extension 5206 End-Host Mobility and Multihoming with the Host Identity Protocol 4843 Over lay Routable Cryptographic Hash Identifier (ORCHID) Implementations InfraHIP / HIPL Ubunto, Fedora, CentOS, Android, Maemo, OpenWRT (http://infrahip.hiit.fi/) OpenHIP Linux / Windows / Mac (http://www.openhip.org/) HIP for FreeBSD (http://www.hip4inter.net/) Compar ison /Interoperability http://www.openhip.org/wiki/index.php?title=interoperability 2001:10:2010:0729:07:02:10:54 Holger Zuleger 2001:db8::13:13

Questions? DNSsec, VoIPsec, IPsec, XMPPsec, SMTPsec, WLANsec...... DKIM, Kerberos, IMAP, LDAP, ENUM, SIP,...... NTP, DNS, DHCP, IPv6, Routing, Switching Holger.Zuleger@hznet.de 2001:10:2010:0729:07:02:10:57 Holger Zuleger 2001:db8::13:14

CONTENTS... 1 Host Identity Protocol (RFC 5201)... 2 Locater / Identifier... 3 Host Identifier and HIT... 4 HIP Session Setup... 5 HIP and DNS... 6... 7 HIP and DNS (2)... 8 HIP Mobility... 9 HIP as a key exchange protocol... 10 HIP and IPsec ESP... 11 Applications of HIP... 12 References... 13... 14 <

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information