Host Identity Protocol

from Wikipedia, the free encyclopedia

The Host Identity Protocol (HIP) is a by the IETF standardized protocol that allows users of mobile devices (eg. As laptops ) to switch between different IP networks ( roaming should) make, by the this necessary change the IP address before the application programs and the transport layer .

motivation

In the original design of the Internet, and thus also of IP , it was assumed that connected computer systems would not change their position in the network at all or only very rarely. In this respect, it was not a problem at the time that IP addresses were used both for the unambiguous identification of a terminal device and for the localization of its location within the network topology . With the advent of laptops , PDAs and other mobile devices, this picture has changed, but due to the architecture of the Internet, which is not designed for mobility, when switching to a different access network (e.g. from one WLAN to another), the affected end device has to be technically dependent Sometimes a new IP address can be assigned, which means that it can usually no longer be reached at the IP address used up until then. In particular, this has the consequence that all existing TCP and UDP connections at the time of the change (e.g. POP3 connections for receiving e-mail , instant messaging services, VoIP phone calls ) are broken, which affects the end user is uncomfortable.

With the proliferation of mobile devices, various solutions to this problem have been developed; To be mentioned here are in particular Mobile-IP and HIP.

functionality

HIP intermediate layer

HIP solves the problem by separating the two tasks of identification and localization from one another ("Locator / ID split"). For this purpose, HIP is inserted as a new intermediate layer between layer 3 (IP) and layer 4 (TCP, UDP etc.). The IP addresses that continue to change when the network is changed are retained, but from now on they only serve to localize the end device, i.e. for routing the data packets to the end device. The identification of the terminal, e.g. B. as the end point of a TCP connection, on the other hand, is no longer taken from the IP address, but from a so-called Host Identity Tag (German roughly "computer identification label"). This concept makes it possible, for example, to maintain an existing TCP connection, even if the IP address of the end device changes, since the TCP connection is no longer linked to the IP address but to the host identity tag.

safety

The host identity tags are not randomly selected numbers or numbers specified by the user, but are public keys (more precisely: hash values ​​of public keys as their fingerprints) of a key pair. If two end systems want to communicate with each other via HIP, they first use the Diffie-Hellman key exchange process to check whether the other side really has the right private key for the host identity tag (= public key) it is using . A check can then also take place when the IP address of a communication partner changes. This prevents an attacker from pretending to be one of the communication partners involved by falsifying the host identity tag and pretending to change the IP address and thus simply snatch the connection.

Advantages and disadvantages

The disadvantage is that the Diffie-Hellman method inevitably requires two RTTs before the first data can be transmitted; in the case of TCP, another 1½ RTTs are added here to establish the SYN / ACK connection. The advantage of the Diffie-Hellman method, however, is that the two communication partners do not need to have exchanged their keys beforehand or rely on the help of a trusted third party , e.g. B. a CA , are instructed.

Another disadvantage compared to Mobile-IP, for example, is the fact that the introduction of HIP as an additional intermediate layer is anything but a trivial task: On the one hand, the operating systems of both communication partners must support HIP, and on the other hand, any firewalls or other filtering measures connected in between may be allowed to use the HIP -Don't block packets, which is still very unlikely these days (2009). The advantage of HIP, however, is that the data packets exchanged between the communication partners always go via normal routes specified by IP and do not have to be rerouted via an intermediate station, as is the case with Mobile IP or VPN tunnels, for example .

Specifications

  • RFC 5201 : Host Identity Protocol base
  • RFC 5202 : Using the Encapsulating Security Payload (ESP) Transport Format with the Host Identity Protocol (HIP)
  • RFC 5203 : Host Identity Protocol (HIP) Registration Extension
  • RFC 5204 : Host Identity Protocol (HIP) Rendezvous Extension
  • RFC 5205 : Host Identity Protocol (HIP) Domain Name System (DNS) Extension
  • RFC 5206 : End-Host Mobility and Multihoming with the Host Identity Protocol
  • RFC 5207 : NAT and Firewall Traversal Issues of Host Identity Protocol (HIP) Communication

Web links

  • Petri Jokela, Pekka Nikander, Jan Melen, Jukka Ylitalo, and Jorma Wall: Host Identity Protocol — Extended Abstract . Wireless World Research Forum, 2004. ( PDF )
  • IETF working group
  • How HIP works