1. No category

HIP Explained

HIP Explained
SMA Demo Team
International Civil Aviation Organization
INFORMATION PAPER
ACP-SWGN13 – IP06 14 APRIL 2007
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
BT_PW_Sub_no-icon.ppt | 8/4/2004
Agenda
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
• HIP Explained
• Explanation of the Status Display Screens
• Explanation of the Demonstration
Copyright © 2004 Boeing. All rights reserved.
BT_PW_Sub_no-icon.ppt | 2
HIP elements
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
Host Identity (HI) is public/private key pair:
IP header
Identity defined
by holder of
private key
Public key used
by others
to authenticate
control messages
SHA-1 hash of public key forms a
“Host Identity Tag (HIT)”
- used where 128 bit fields are needed
- self-referential (i.e., HIT can be
securely used instead of HI)
Copyright © 2004 Boeing. All rights reserved.
IPsec (ESP)
Encrypted
transport
header and
payload
HIT is
implied
by the SPI
value in
IPsec header
(i.e. HIP incurs
no per-packet
overhead)
BT_PW_Sub_no-icon.ppt | 3
What problems does HIP solve?
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
HIP may admit more elegant solutions to:
• host mobility: Binding Updates for route optimization
automatically and directly authenticated
• host multihoming: Can associate more than one IP
address with a security association
• BGP scaling problem: Multihomed networks may have
hosts with multiple, aliased addresses
• NAT traversal: Changing IP addresses does not break
transport checksums
• IPv4 to IPv6 transition: Ditto
and others...
Copyright © 2004 Boeing. All rights reserved.
BT_PW_Sub_no-icon.ppt | 4
HIP deployment issues
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
• HIP can be deployed pair-wise, without any
supporting infrastructure (like ssh)
• No changes to routing infrastructure
• Backward compatible with legacy apps
• For more advanced features, some additional
infrastructure will be needed:
• support for new DNS resource record
• support for “rendezvous server” to offload DNS
update loads, and to solve “double-jump” mobility
• HIP-aware NATs and firewalls
• reverse lookup service for HITs
Copyright © 2004 Boeing. All rights reserved.
BT_PW_Sub_no-icon.ppt | 5
Background: IPsec
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
Responder
Initiator
Keying daemon
( e.g. IKE)
Application
user space
PF_INET
PF_RAW
PF_KEY
Keying daemon
( e.g. IKE)
PF_KEY
PF_RAW
Application
PF_INET
kernel
TCP/IP code
IPsec
Key
engine
Key
engine
TCP/IP code
IPsec
IPsec Security Association (transport mode)
identified by SPI in IPsec header, IP addresses
Copyright © 2004 Boeing. All rights reserved.
BT_PW_Sub_no-icon.ppt | 6
Boeing HIP Implementation
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
Mainly a user-space daemon (replacing IKE), with minor
kernel and API modifications
• IPv4 and IPv6 Linux kernel 2.6.7
• KAME-derived ipsec-tools package (for Linux 2.6)
• OpenSSL 0.9.7 (cryptographic libraries)
Application
user space
PF_INET
openssl libraries
HIP daemon
(hipd)
PF_RAW
ipsec-tools (setkey)
PF_KEY
kernel
small mods
required
here also
Copyright © 2004 Boeing. All rights reserved.
TCP/IP code
IPsec
APIs extended
slightly
Key
engine
BT_PW_Sub_no-icon.ppt | 7
HIP-enabled security
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
Responder
Initiator
Application
user space
PF_INET
HIP handshake
HIP daemon
HIP daemon
PF_RAW
PF_KEY
PF_KEY
PF_RAW
Application
PF_INET
kernel
TCP/IP code
IPsec
Key
engine
Key
engine
TCP/IP code
IPsec
IPsec Security Association (ESP, AH)
identified by SPI in IPsec header (but not IP address!)
Copyright © 2004 Boeing. All rights reserved.
BT_PW_Sub_no-icon.ppt | 8
HIP Handshake
Boeing Technology | Phantom Works
Initiator
E&IT | Mathematics and Computing Technology
I1 packet
Simple packet, contains
compressed (hashed)
version of Host Identities
Copyright © 2004 Boeing. All rights reserved.
Responder
Opportunity
for DoS attack
(e.g. TCP SYN
flood)
BT_PW_Sub_no-icon.ppt | 9
HIP Handshake
Boeing Technology | Phantom Works
Initiator
E&IT | Mathematics and Computing Technology
I1 packet
Responder
R1 packet
Contains:
1. Diffie-Hellman public value
2. Cookie puzzle
3. Encryption negotiation
4. Responder’s Host Identity
Reply with
stock packet
and cookie
challenge
(No state kept)
Is signed by Responder’s Host Identity
Copyright © 2004 Boeing. All rights reserved.
BT_PW_Sub_no-icon.ppt | 10
HIP Handshake
Boeing Technology | Phantom Works
Initiator
E&IT | Mathematics and Computing Technology
I1 packet
Responder
R1 packet
I2 packet
1. Solve cookie puzzle
2. Generate key material
Contains:
1. Diffie-Hellman public value
2. Cookie solution
3. Encryption negotiation
4. IPsec SPI
5. (Encrypted) Host Identity
6. (optional) piggybacked data
Is signed by Initiator’s Host Identity
Copyright © 2004 Boeing. All rights reserved.
BT_PW_Sub_no-icon.ppt | 11
HIP Handshake
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
Initiator
Responder
I1 packet
R1 packet
I2 packet
R2 packet
Contains:
1. IPsec SPI
2. (option) piggybacked data
1. Validate cookie puzzle
2. Generate key material
3. Install IPsec SA
Is signed by Responder’s Host Identity
Copyright © 2004 Boeing. All rights reserved.
BT_PW_Sub_no-icon.ppt | 12
HIP Handshake
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
Initiator
Responder
I1 packet
R1 packet
I2 packet
R2 packet
Install IPsec SA
All further packets in IPsec ESP envelope
(Host Identity is implied by the SPI)
Copyright © 2004 Boeing. All rights reserved.
BT_PW_Sub_no-icon.ppt | 13
HIP Readdress
Boeing Technology | Phantom Works
Readdressee
E&IT | Mathematics and Computing Technology
Peer
Contains new address and SPI
Is signed by Host Identity
Optional address check
if needed (to prevent
3rd party bombing attacks)
Copyright © 2004 Boeing. All rights reserved.
BT_PW_Sub_no-icon.ppt | 14
HIP crypto performance
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
• HIP exchange takes less than one second on
same PII-266MHz machines
• Time dominated by DSA signing (therefore, cookie
challenge is important)
• Time spent in various functions (averages):
• Readdressing a host takes less than one second
SHA keymat hashing
Initiator
Responder
Copyright © 2004 Boeing. All rights reserved.
0.08 ms
0.11 ms
DSA signing 3DES crypto Total exchange
450 ms
410 ms
0.53 ms
0.53 ms
950 ms
790 ms
BT_PW_Sub_no-icon.ppt | 16

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz