Host Identity Protocol

The Host Identity Protocol ( HIP ) is a standardized by the IETF protocol that users of mobile devices to facilitate ( eg notebooks ) to switch between different IP networks (roaming), placing the case the necessary change of the IP address the application programs and the transport layer hiding.

Motivation

In the original design of the Internet and thus of IP, it was assumed that the connected computer systems not or only very rarely change their position in the network. In this respect, it noted at the time is not a problem that IP addresses were used both to uniquely identify a terminal as well as to locate his whereabouts within the network topology. With the advent of laptops, PDAs and other mobile devices, this picture has changed, but because of the not designed for mobility architecture of the Internet has (eg of a WLAN to another) the terminal concerned technical reasons, when changing to a different access network each time a new IP address assigned, which can no longer be longer be reached at its over to another IP address in the rule. In particular this means that all existing at the time of the change TCP and UDP connections (for example, POP3 connections for e- mail reception, instant messaging services, VoIP calls ) tear down what the end user is unpleasant.

Due to the increasing proliferation of mobile devices have several solutions to this problem have been developed; mentioned here in particular Mobile IP and HIP flat.

Operation

HIP solves the problem by the two tasks are identification and localization separately ( " Locator / ID split" ). To this end, HIP is a new intermediate layer between layer 3 ( IP) and Layer 4 ( TCP, UDP, ICMP, etc.) inserted. The case of a network change still changing IP addresses are indeed maintained, serve from now but only the localization of the terminal, so the routing of the data packets to the terminal. The identification of the terminal, for example, as the endpoint of a TCP connection, ( German about " computer identification label " ) adopted, however, no longer by the IP address, but from a so called Host Identity Tag. This concept is possible to maintain, for example, an existing TCP connection, even if the IP address of the terminal changes, because the TCP connection is no longer bound to the IP address, but to the Host Identity Tag.

Security

The Host Identity Tags are not random or specified by the user numbers, but they are public key (or more precisely hashes of public keys as their fingerprints) of a key pair. If two end systems need to communicate with each other via HIP, check them first using the Diffie -Hellman key exchange method, whether the other side has really the matching private key to run from her Host Identity Tag ( = public key). A check can also be done when changing the IP address of the communication partner. This prevents an attacker spend by falsification of the Host Identity Tags and pretense of an IP address change as one of the communication partners involved and so easy to tear the compound per se.

Pros and Cons

The disadvantage is that inevitably two RTTs are needed by the Diffie- Hellman method until the first data to be transmitted; in the case of TCP come here another 1 ½ RTTs added for the SYN-/ACK-Verbindungsaufbau. The advantage of the Diffie -Hellman method, however, is that the two communication partners their key does not need to have replaced previously or are dependent on the help of a trusted third party, such as a CA.

Another disadvantage compared to, for example, Mobile IP is the fact that the introduction of HIP as an additional intermediate layer is far from a trivial task: First, the operating systems of both communication partners HIP must support, but it must as any intermediary firewalls or other filtering measures the HIP Do not block packets, which today (2009) is still very unlikely. The advantage of HIP is that the data packets exchanged between the communication partners always normal, given IP routes to go, and need not be redirected, such as in Mobile IP or VPN tunnels via an intermediate station.

Specifications

RFC 5201: Host Identity Protocol base
RFC 5202: Using the Encapsulating Security Payload ( ESP) Transport Format with the Host Identity Protocol ( HIP)
RFC 5203: Host Identity Protocol ( HIP) Registration Extension
RFC 5204: Host Identity Protocol ( HIP) Rendezvous Extension
RFC 5205: Host Identity Protocol ( HIP) Domain Name System (DNS) Extension
RFC 5206: End - Host Mobility and Multihoming with the Host Identity Protocol
RFC 5207: NAT and Firewall Traversal Issues of Host Identity Protocol ( HIP) Communication