RFC 9063: Host Identity Protocol Architecture

2.1. Terms Common to Other Documents

2.2. Terms Specific to This and Other HIP Documents

It should be noted that many of the terms defined herein are tautologous, self-referential, or defined through circular reference to other terms. This is due to the succinct nature of the definitions. See the text elsewhere in this document and the base specification [RFC7401] for more elaborate explanations.¶

3.1. A Desire for a Namespace for Computing Platforms

An independent namespace for computing platforms could be used in end-to-end operations independent of the evolution of the internetworking layer and across the many internetworking layers. This could support rapid readdressing of the internetworking layer because of mobility, rehoming, or renumbering.¶

If the namespace for computing platforms is based on public-key cryptography, it can also provide authentication services. If this namespace is locally created without requiring registration, it can provide anonymity.¶

Such a namespace (for computing platforms) and the names in it should have the following characteristics:¶

In this document, the namespace approaching these ideas is called the Host Identity namespace. Using Host Identities requires its own protocol layer, the Host Identity Protocol, between the internetworking and transport layers. The names are based on public-key cryptography to supply authentication services. Properly designed, it can deliver all of the above-stated requirements.¶

4.1. Host Identifiers

Host Identity adds two main features to Internet protocols. The first is a decoupling of the internetworking and transport layers; see Section 5. This decoupling will allow for independent evolution of the two layers. Additionally, it can provide end-to-end services over multiple internetworking realms. The second feature is host authentication. Because the Host Identifier is a public key, this key can be used for authentication in security protocols like ESP.¶

An identity is based on public-private key cryptography in HIP. The Host Identity is referred to by its public component, the public key. Thus, the name representing a Host Identity in the Host Identity namespace, i.e., the Host Identifier, is the public key. In a way, the possession of the private key defines the Identity itself. If the private key is possessed by more than one node, the Identity can be considered to be a distributed one.¶

Architecturally, any other Internet naming convention might form a usable base for Host Identifiers. However, non-cryptographic names should only be used in situations of high trust and/or low risk. That is any place where host authentication is not needed (no risk of host spoofing) and no use of ESP. However, at least for interconnected networks spanning several operational domains, the set of environments where the risk of host spoofing allowed by non-cryptographic Host Identifiers is acceptable is the null set. Hence, the current HIP documents do not specify how to use any other types of Host Identifiers but public keys. For instance, the Back to My Mac service [RFC6281] from Apple comes pretty close to the functionality of HIP, but unlike HIP, it is based on non-cryptographic identifiers.¶

The actual Host Identifiers are never directly used at the transport or network layers. The corresponding Host Identifiers (public keys) may be stored in various DNS or other directories as identified elsewhere in this document, and they are passed in the HIP base exchange. A Host Identity Tag (HIT) is used in other protocols to represent the Host Identity. Another representation of the Host Identities, the Local Scope Identifier (LSI), can also be used in protocols and APIs.¶

4.2. Host Identity Hash (HIH)

The Host Identity Hash (HIH) is the cryptographic hash algorithm used in producing the HIT from the HI. It is also the hash used throughout HIP for consistency and simplicity. It is possible for the two hosts in the HIP exchange to use different hash algorithms.¶

Multiple HIHs within HIP are needed to address the moving target of creation and eventual compromise of cryptographic hashes. This significantly complicates HIP and offers an attacker an additional downgrade attack that is mitigated in HIP [RFC7401].¶

4.3. Host Identity Tag (HIT)

A Host Identity Tag (HIT) is a 128-bit representation for a Host Identity. Due to its size, it is suitable for use in the existing sockets API in the place of IPv6 addresses (e.g., in sockaddr_in6 structure, sin6_addr member) without modifying applications. It is created from an HIH, an IPv6 prefix [RFC7343], and a hash identifier. There are two advantages of using the HIT over using the Host Identifier in protocols. First, its fixed length makes for easier protocol coding and also better manages the packet size cost of this technology. Second, it presents the identity in a consistent format to the protocol independent of the cryptographic algorithms used.¶

In essence, the HIT is a hash over the public key. As such, two algorithms affect the generation of a HIT: the public-key algorithm of the HI and the used HIH. The two algorithms are encoded in the bit presentation of the HIT. As the two communicating parties may support different algorithms, [RFC7401] defines the minimum set for interoperability. For further interoperability, the Responder may store its keys in DNS records, and thus the Initiator may have to couple destination HITs with appropriate source HITs according to matching HIH.¶

In the HIP packets, the HITs identify the sender and recipient of a packet. Consequently, a HIT should be unique in the whole IP universe as long as it is being used. In the extremely rare case of a single HIT mapping to more than one Host Identity, the Host Identifiers (public keys) will make the final difference. If there is more than one public key for a given node, the HIT acts as a hint for the correct public key to use.¶

Although it may be rare for an accidental collision to cause a single HIT mapping to more than one Host Identity, it may be the case that an attacker succeeds to find, by brute force or algorithmic weakness, a second Host Identity hashing to the same HIT. This type of attack is known as a preimage attack, and the resistance to finding a second Host Identifier (public key) that hashes to the same HIT is called second preimage resistance. Second preimage resistance in HIP is based on the hash algorithm strength and the length of the hash output used. Through HIPv2 [RFC7401], this resistance is 96 bits (less than the 128-bit width of an IPv6 address field due to the presence of the Overlay Routable Cryptographic Hash Identifiers (ORCHID) prefix [RFC7343]). 96 bits of resistance was considered acceptable strength during the design of HIP but may eventually be considered insufficient for the threat model of an envisioned deployment. One possible mitigation would be to augment the use of HITs in the deployment with the HIs themselves (and mechanisms to securely bind the HIs to the HITs), so that the HI becomes the final authority. It also may be possible to increase the difficulty of a brute force attack by making the generation of the HI more computationally difficult, such as the hash extension approach of Secure Neighbor Discovery Cryptographically Generated Addresses (CGAs) [RFC3972], although the HIP specifications through HIPv2 do not provide such a mechanism. Finally, deployments that do not use ORCHIDs (such as certain types of overlay networks) might also use the full 128-bit width of an IPv6 address field for the HIT.¶

4.5. Storing Host Identifiers in Directories

The public Host Identifiers should be stored in DNS; the unpublished Host Identifiers should not be stored anywhere (besides the communicating hosts themselves). The (public) HI along with the supported HIHs are stored in a new Resource Record (RR) type. This RR type is defined in the HIP DNS extension [RFC8005].¶

Alternatively, or in addition to storing Host Identifiers in the DNS, they may be stored in various other directories. For instance, a directory based on the Lightweight Directory Access Protocol (LDAP) or a Public Key Infrastructure (PKI) [RFC8002] may be used. Alternatively, Distributed Hash Tables (DHTs) [RFC6537] have successfully been utilized [RFC6538]. Such a practice may allow them to be used for purposes other than pure host identification.¶

Some types of applications may cache and use Host Identifiers directly, while others may indirectly discover them through a symbolic host name (such as a Fully Qualified Domain Name (FQDN)) look up from a directory. Even though Host Identities can have a substantially longer lifetime associated with them than routable IP addresses, directories may be a better approach to manage the lifespan of Host Identities. For example, an LDAP-based directory or DHT can be used for locally published identities whereas DNS can be more suitable for public advertisement.¶

11.1. MitM Attacks

HIP takes advantage of the Host Identity paradigm to provide secure authentication of hosts and to provide a fast key exchange for ESP. HIP also attempts to limit the exposure of the host to various denial-of-service (DoS) and man-in-the-middle (MitM) attacks. In so doing, HIP itself is subject to its own DoS and MitM attacks that potentially could be more damaging to a host's ability to conduct business as usual.¶

Resource exhausting DoS attacks take advantage of the cost of setting up a state for a protocol on the Responder compared to the 'cheapness' on the Initiator. HIP allows a Responder to increase the cost of the start of state on the Initiator and makes an effort to reduce the cost to the Responder. This is done by having the Responder start the authenticated Diffie-Hellman exchange instead of the Initiator, making the HIP base exchange four packets long. The first packet sent by the Responder can be prebuilt to further mitigate the costs. This packet also includes a computational puzzle that can optionally be used to further delay the Initiator, for instance, when the Responder is overloaded. The details are explained in the base exchange specification [RFC7401].¶

MitM attacks are difficult to defend against without third-party authentication. A skillful MitM could easily handle all parts of the HIP base exchange, but HIP indirectly provides the following protection from a MitM attack. If the Responder's HI is retrieved from a signed DNS zone or securely obtained by some other means, the Initiator can use this to authenticate the signed HIP packets. Likewise, if the Initiator's HI is in a secure DNS zone, the Responder can retrieve it and validate the signed HIP packets. However, since an Initiator may choose to use an unpublished HI, it knowingly risks a MitM attack. The Responder may choose not to accept a HIP exchange with an Initiator using an unknown HI.¶

Other types of MitM attacks against HIP can be mounted using ICMP messages that can be used to signal about problems. As an overall guideline, the ICMP messages should be considered as unreliable "hints" and should be acted upon only after timeouts. The exact attack scenarios and countermeasures are described in full detail in the base exchange specification [RFC7401].¶

A MitM attacker could try to replay older I1 or R1 messages using weaker cryptographic algorithms as described in Section 4.1.4 of [RFC7401]. The base exchange has been augmented to deal with such an attack by restarting on the detection of the attack. At worst, this would only lead to a situation in which the base exchange would never finish (or would be aborted after some retries). As a drawback, this leads to a six-way base exchange, which may seem bad at first. However, since this only occurs in an attack scenario and since the attack can be handled (so it is not interesting to mount anymore), we assume the subsequent messages do not represent a security threat. Since the MitM cannot be successful with a downgrade attack, these sorts of attacks will only occur as 'nuisance' attacks. So, the base exchange would still be usually just four packets even though implementations must be prepared to protect themselves against the downgrade attack.¶

In HIP, the Security Association for ESP is indexed by the SPI; the source address is always ignored, and the destination address may be ignored as well. Therefore, HIP-enabled ESP is IP address independent. This might seem to make attacking easier, but ESP with replay protection is already as well protected as possible, and the removal of the IP address as a check should not increase the exposure of ESP to DoS attacks.¶

11.3. HITs Used in ACLs

At end-hosts, HITs can be used in IP-based access control lists at the application and network layers. At middleboxes, HIP-aware firewalls [lindqvist-enterprise] can use HITs or public keys to control both ingress and egress access to networks or individual hosts, even in the presence of mobile devices because the HITs and public keys are topology independent. As discussed earlier in Section 7, once a HIP session has been established, the SPI value in an ESP packet may be used as an index, indicating the HITs. In practice, firewalls can inspect HIP packets to learn of the bindings between HITs, SPI values, and IP addresses. They can even explicitly control ESP usage, dynamically opening ESP only for specific SPI values and IP addresses. The signatures in HIP packets allow a capable firewall to ensure that the HIP exchange is indeed occurring between two known hosts. This may increase firewall security.¶

A potential drawback of HITs in ACLs is their 'flatness', which means they cannot be aggregated, and this could potentially result in larger table searches in HIP-aware firewalls. A way to optimize this could be to utilize Bloom filters for grouping HITs [sarela-bloom]. However, it should be noted that it is also easier to exclude individual, misbehaving hosts when the firewall rules concern individual HITs rather than groups.¶

There has been considerable bad experience with distributed ACLs that contain material related to public keys, for example, with SSH. If the owner of a key needs to revoke it for any reason, the task of finding all locations where the key is held in an ACL may be impossible. If the reason for the revocation is due to private key theft, this could be a serious issue.¶

A host can keep track of all of its partners that might use its HIT in an ACL by logging all remote HITs. It should only be necessary to log Responder hosts. With this information, the host can notify the various hosts about the change to the HIT. There have been attempts to develop a secure method to issue the HIT revocation notice [zhang-revocation].¶

Some of the HIP-aware middleboxes, such as firewalls [lindqvist-enterprise] or NATs [ylitalo-spinat], may observe the on-path traffic passively. Such middleboxes are transparent by their nature and may not get a notification when a host moves to a different network. Thus, such middleboxes should maintain soft state and time out when the control and data planes between two HIP end-hosts have been idle too long. Correspondingly, the two end-hosts may send periodically keepalives, such as UPDATE packets or ICMP messages inside the ESP tunnel, to sustain state at the on-path middleboxes.¶

One general limitation related to end-to-end encryption is that middleboxes may not be able to participate in the protection of data flows. While the issue may also affect other protocols, Heer et al. [heer-end-host] have analyzed the problem in the context of HIP. More specifically, when ESP is used as the data plane protocol for HIP, the association between the control and data planes is weak and can be exploited under certain assumptions. In the scenario, the attacker has already gained access to the target network protected by a HIP-aware firewall, but wants to circumvent the HIP-based firewall. To achieve this, the attacker passively observes a base exchange between two HIP hosts and later replays it. This way, the attacker manages to penetrate the firewall and can use a fake ESP tunnel to transport its own data. This is possible because the firewall cannot distinguish when the ESP tunnel is valid. As a solution, HIP-aware middleboxes may participate in the control plane interaction by adding random nonce parameters to the control traffic, which the end-hosts have to sign to guarantee the freshness of the control traffic [heer-midauth]. As an alternative, extensions for transporting the data plane directly over the control plane can be used [RFC6078].¶

11.4. Alternative HI Considerations

The definition of the Host Identifier states that the HI need not be a public key. It implies that the HI could be any value, for example, a FQDN. This document does not describe how to support such a non-cryptographic HI, but examples of such protocol variants do exist ([urien-rfid], [urien-rfid-draft]). A non-cryptographic HI would still offer the services of the HIT or LSI for NAT traversal. It would be possible to carry HITs in HIP packets that had neither privacy nor authentication. Such schemes may be employed for resource-constrained devices, such as small sensors operating on battery power, but are not further analyzed here.¶

If it is desirable to use HIP in a low-security situation where public key computations are considered expensive, HIP can be used with very short Diffie-Hellman and Host Identity keys. Such use makes the participating hosts vulnerable to MitM and connection hijacking attacks. However, it does not cause flooding dangers, since the address check mechanism relies on the routing system and not on cryptographic strength.¶

11.5. Trust on First Use

[RFC7435] highlights four design principles for Leap of Faith, or Trust On First Use (TOFU), protocols that apply also to opportunistic HIP:¶

According to the first TOFU design principle, "Opportunistic security never displaces or preempts explicit policy". Some application data may be too sensitive, so the related policy could require authentication (i.e., the public key or certificate) in such a case instead of the unauthenticated opportunistic mode. In practice, this has been realized in HIP implementations as follows [RFC6538].¶

The OpenHIP implementation allowed an Initiator to use opportunistic mode only with an explicitly configured Responder IP address, when the Responder's HIT is unknown. At the Responder, OpenHIP had an option to allow opportunistic mode with any Initiator -- trust any Initiator.¶

HIP for Linux (HIPL) developers experimented with more fine-grained policies operating at the application level. The HIPL implementation utilized so-called "LD_PRELOAD" hooking at the application layer that allowed a dynamically linked library to intercept socket-related calls without rebuilding the related application binaries. The library acted as a shim layer between the application and transport layers. The shim layer translated the non-HIP-based socket calls from the application into HIP-based socket calls. While the shim library involved some level of complexity as described in more detail in [komu-leap], it achieved the goal of applying opportunistic mode at the granularity of individual applications.¶

The second TOFU principle essentially states that communication should prioritized over security. So opportunistic mode should be, in general, allowed even if no authentication is present, and even possibly a fallback to unencrypted communications could be allowed (if policy permits) instead of blocking communications. In practice, this can be realized in three steps. In the first step, a HIP Initiator can look up the HI of a Responder from a directory such as DNS. When the Initiator discovers a HI, it can use the HI for authentication and skip the rest of the following steps. In the second step, the Initiator can, upon failing to find a HI, try opportunistic mode with the Responder. In the third step, the Initiator can fall back to non-HIP-based communications upon failing with opportunistic mode if the policy allows it. This three-step model has been implemented successfully and described in more detail in [komu-leap].¶

The third TOFU principle suggests that security should be maximized, so that at least opportunistic security would be employed. The three-step model described earlier prefers authentication when it is available, e.g., via DNS records (and possibly even via DNSSEC when available) and falls back to opportunistic mode when no out-of-band credentials are available. As the last resort, fallback to non-HIP-based communications can be used if the policy allows it. Also, since perfect forward secrecy (PFS) is explicitly mentioned in the third design principle, it is worth mentioning that HIP supports it.¶

The fourth TOFU principle states that users and noninteractive applications should be properly informed about the level of security being applied. In practice, non-HIP-aware applications would assume that no extra security is being applied, so misleading at least a noninteractive application should not be possible. In the case of interactive desktop applications, system-level prompts have been utilized in earlier HIP experiments [karvonen-usable] [RFC6538] to guide the user about the underlying HIP-based security. In general, users in those experiments perceived when HIP-based security was being used versus not used. However, the users failed to notice the difference between opportunistic, non-authenticated HIP and non-opportunistic, authenticated HIP. The reason for this was that the opportunistic HIP (i.e., lowered level of security) was not clearly indicated in the prompt. This provided a valuable lesson to further improve the user interface.¶

In the case of HIP-aware applications, native sockets APIs for HIP as specified in [RFC6317] can be used to develop application-specific logic instead of using generic system-level prompting. In such a case, the application itself can directly prompt the user or otherwise manage the situation in other ways. In this case, noninteractive applications also can properly log the level of security being employed because the developer can now explicitly program the use of authenticated HIP, opportunistic HIP, and plain-text communication.¶

It is worth mentioning a few additional items discussed in [RFC7435]. Related to active attacks, HIP has built-in protection against ciphersuite downgrade attacks as described in detail in [RFC7401]. In addition, pre-deployed certificates could be used to mitigate against active attacks in the case of opportunistic mode as mentioned in [RFC6538].¶

Detection of peer capabilities is also mentioned in the TOFU context. As discussed in this section, the three-step model can be used to detect peer capabilities. A host can achieve the first step of authentication, i.e., discovery of a public key, via DNS, for instance. If the host finds no keys, the host can then try opportunistic mode as the second step. Upon a timeout, the host can then proceed to the third step by falling back to non-HIP-based communications if the policy permits. This last step is based on an implicit timeout rather an explicit (negative) acknowledgment like in the case of DNS, so the user may conclude prematurely that the connectivity has failed. To speed up the detection phase by explicitly detecting if the peer supports opportunistic HIP, researchers have proposed TCP-specific extensions [RFC6538] [komu-leap]. In a nutshell, an Initiator sends simultaneously both an opportunistic I1 packet and the related TCP SYN datagram equipped with a special TCP option to a peer. If the peer supports HIP, it drops the SYN packet and responds with an R1. If the peer is HIP incapable, it drops the HIP packet (and the unknown TCP option) and responds with a TCP SYN-ACK. The benefit of the proposed scheme is a faster, one round-trip fallback to non-HIP-based communications. The drawback is that the approach is tied to TCP (IP options were also considered, but do not work well with firewalls and NATs). Naturally, the approach does not work against an active attacker, but opportunistic mode is not supposed to protect against such an adversary anyway.¶

It is worth noting that while the use of opportunistic mode has some benefits related to incremental deployment, it does not achieve all the benefits of authenticated HIP [komu-diss]. Namely, authenticated HIP supports persistent identifiers in the sense that hosts are identified with the same HI independent of their movement. Opportunistic HIP meets this goal only partially: after the first contact between two hosts, HIP can successfully sustain connectivity with its mobility management extensions, but problems emerge when the hosts close the HIP association and try to reestablish connectivity. As hosts can change their location, it is no longer guaranteed that the same IP address belongs to the same host. The same address can be temporally assigned to different hosts, e.g., due to the reuse of IP addresses (e.g., by a DHCP service), the overlapping of private address realms (see also the discussion on Internet transparency in Appendix A.1), or due to an attempted attack.¶

14.1. Normative References

[RFC5482]

Eggert, L. and F. Gont, "TCP User Timeout Option", RFC 5482, DOI 10.17487/RFC5482, March 2009, <https://www.rfc-editor.org/info/rfc5482>.

[RFC6079]

Camarillo, G., Nikander, P., Hautakorpi, J., Keranen, A., and A. Johnston, "HIP BONE: Host Identity Protocol (HIP) Based Overlay Networking Environment (BONE)", RFC 6079, DOI 10.17487/RFC6079, January 2011, <https://www.rfc-editor.org/info/rfc6079>.

[RFC7086]

Keranen, A., Camarillo, G., and J. Maenpaa, "Host Identity Protocol-Based Overlay Networking Environment (HIP BONE) Instance Specification for REsource LOcation And Discovery (RELOAD)", RFC 7086, DOI 10.17487/RFC7086, January 2014, <https://www.rfc-editor.org/info/rfc7086>.

[RFC7343]

Laganier, J. and F. Dupont, "An IPv6 Prefix for Overlay Routable Cryptographic Hash Identifiers Version 2 (ORCHIDv2)", RFC 7343, DOI 10.17487/RFC7343, September 2014, <https://www.rfc-editor.org/info/rfc7343>.

[RFC7401]

Moskowitz, R., Ed., Heer, T., Jokela, P., and T. Henderson, "Host Identity Protocol Version 2 (HIPv2)", RFC 7401, DOI 10.17487/RFC7401, April 2015, <https://www.rfc-editor.org/info/rfc7401>.

[RFC7402]

Jokela, P., Moskowitz, R., and J. Melen, "Using the Encapsulating Security Payload (ESP) Transport Format with the Host Identity Protocol (HIP)", RFC 7402, DOI 10.17487/RFC7402, April 2015, <https://www.rfc-editor.org/info/rfc7402>.

[RFC8002]

Heer, T. and S. Varjonen, "Host Identity Protocol Certificates", RFC 8002, DOI 10.17487/RFC8002, October 2016, <https://www.rfc-editor.org/info/rfc8002>.

[RFC8003]

Laganier, J. and L. Eggert, "Host Identity Protocol (HIP) Registration Extension", RFC 8003, DOI 10.17487/RFC8003, October 2016, <https://www.rfc-editor.org/info/rfc8003>.

[RFC8004]

Laganier, J. and L. Eggert, "Host Identity Protocol (HIP) Rendezvous Extension", RFC 8004, DOI 10.17487/RFC8004, October 2016, <https://www.rfc-editor.org/info/rfc8004>.

[RFC8005]

Laganier, J., "Host Identity Protocol (HIP) Domain Name System (DNS) Extension", RFC 8005, DOI 10.17487/RFC8005, October 2016, <https://www.rfc-editor.org/info/rfc8005>.

[RFC8046]

Henderson, T., Ed., Vogt, C., and J. Arkko, "Host Mobility with the Host Identity Protocol", RFC 8046, DOI 10.17487/RFC8046, February 2017, <https://www.rfc-editor.org/info/rfc8046>.

[RFC8047]

Henderson, T., Ed., Vogt, C., and J. Arkko, "Host Multihoming with the Host Identity Protocol", RFC 8047, DOI 10.17487/RFC8047, February 2017, <https://www.rfc-editor.org/info/rfc8047>.

[RFC9028]

Keränen, A., Melén, J., and M. Komu, Ed., "Native NAT Traversal Mode for the Host Identity Protocol", RFC 9028, DOI 10.17487/RFC9028, July 2021, <https://www.rfc-editor.org/info/rfc9028>.

14.2. Informative References

[amir-hip]

Amir, K., Forsgren, H., Grahn, K., Karvi, T., and G. Pulkkis, "Security and Trust of Public Key Cryptography for HIP and HIP Multicast", International Journal of Dependable and Trustworthy Information Systems (IJDTIS), Vol. 2, Issue 3, pp. 17-35, DOI 10.4018/jdtis.2011070102, 2013, <https://doi.org/10.4018/jdtis.2011070102>.

[aura-dos]

Aura, T., Nikander, P., and J. Leiwo, "DOS-Resistant Authentication with Client Puzzles", 8th International Workshop on Security Protocols, Security Protocols 2000, Lecture Notes in Computer Science, Vol. 2133, pp. 170-177, Springer, DOI 10.1007/3-540-44810-1_22, September 2001, <https://doi.org/10.1007/3-540-44810-1_22>.

[beal-dos]

Beal, J. and T. Shepard, "Deamplification of DoS Attacks via Puzzles", October 2004.

[camarillo-p2psip]

Camarillo, G., Mäenpää, J., Keränen, A., and V. Anderson, "Reducing delays related to NAT traversal in P2PSIP session establishments", IEEE Consumer Communications and Networking Conference (CCNC), pp. 549-553, DOI 10.1109/CCNC.2011.5766540, 2011, <https://doi.org/10.1109/CCNC.2011.5766540>.

[chiappa-endpoints]

Chiappa, J., "Endpoints and Endpoint Names: A Proposed Enhancement to the Internet Architecture", 1999, <http://mercury.lcs.mit.edu/~jnc/tech/endpoints.txt>.

[heer-end-host]

Heer, T., Hummen, R., Komu, M., Gotz, S., and K. Wehrle, "End-Host Authentication and Authorization for Middleboxes Based on a Cryptographic Namespace", 2009 IEEE International Conference on Communications, DOI 10.1109/ICC.2009.5198984, 2009, <https://doi.org/10.1109/ICC.2009.5198984>.

[heer-midauth]

Heer, T., Ed., Hummen, R., Wehrle, K., and M. Komu, "End-Host Authentication for HIP Middleboxes", Work in Progress, Internet-Draft, draft-heer-hip-middle-auth-04, 31 October 2011, <https://datatracker.ietf.org/doc/html/draft-heer-hip-middle-auth-04>.

[henderson-vpls]

Henderson, T. R., Venema, S. C., and D. Mattes, "HIP-based Virtual Private LAN Service (HIPLS)", Work in Progress, Internet-Draft, draft-henderson-hip-vpls-11, 3 August 2016, <https://datatracker.ietf.org/doc/html/draft-henderson-hip-vpls-11>.

[hip-dex]

Moskowitz, R., Ed., Hummen, R., and M. Komu, "HIP Diet EXchange (DEX)", Work in Progress, Internet-Draft, draft-ietf-hip-dex-24, 19 January 2021, <https://datatracker.ietf.org/doc/html/draft-ietf-hip-dex-24>.

[hip-lte]

Liyanage, M., Kumar, P., Ylianttila, M., and A. Gurtov, "Novel secure VPN architectures for LTE backhaul networks", Security and Communication Networks, Vol. 9, pp. 1198-1215, DOI 10.1002/sec.1411, January 2016, <https://doi.org/10.1002/sec.1411>.

[hip-srtp]

Tschofenig, H., Shanmugam, M., and F. Muenz, "Using SRTP transport format with HIP", Work in Progress, Internet-Draft, draft-tschofenig-hiprg-hip-srtp-02, 25 October 2006, <https://datatracker.ietf.org/doc/html/draft-tschofenig-hiprg-hip-srtp-02>.

[hummen]

Hummen, R., Hiller, J., Henze, M., and K. Wehrle, "Slimfit - A HIP DEX compression layer for the IP-based Internet of Things", 2013 IEEE 9th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob), pp. 259-266, DOI 10.1109/WiMOB.2013.6673370, October 2013, <https://doi.org/10.1109/WiMOB.2013.6673370>.

[IEEE.802.15.4]

IEEE, "IEEE Standard for Low-Rate Wireless Networks", IEEE Standard 802.15.4, DOI 10.1109/IEEESTD.2020.9144691, July 2020, <https://ieeexplore.ieee.org/document/9144691>.

[IEEE.802.15.9]

IEEE, "IEEE Draft Recommended Practice for Transport of Key Management Protocol (KMP) Datagrams", IEEE P802.15.9/D04, May 2015.

[karvonen-usable]

Karvonen, K., Komu, M., and A. Gurtov, "Usable security management with host identity protocol", 2009 IEEE/ACS International Conference on Computer Systems and Applications, pp. 279-286, DOI 10.1109/AICCSA.2009.5069337, 2009, <https://doi.org/10.1109/AICCSA.2009.5069337>.

[komu-cloud]

Komu, M., Sethi, M., Mallavarapu, R., Oirola, H., Khan, R., and S. Tarkoma, "Secure Networking for Virtual Machines in the Cloud", 2012 IEEE International Conference on Cluster Computing Workshops, pp. 88-96, DOI 10.1109/ClusterW.2012.29, 2012, <https://doi.org/10.1109/ClusterW.2012.29>.

[komu-diss]

Komu, M., "A Consolidated Namespace for Network Applications, Developers, Administrators and Users", Dissertation, Aalto University, Espoo, Finland, ISBN 978-952-60-4904-5 (printed), ISBN 978-952-60-4905-2 (electronic), December 2012.

[komu-leap]

Komu, M. and J. Lindqvist, "Leap-of-Faith Security is Enough for IP Mobility", 2009 6th IEEE Consumer Communications and Networking Conference, Las Vegas, NV, USA, pp. 1-5, DOI 10.1109/CCNC.2009.4784729, January 2009, <https://doi.org/10.1109/CCNC.2009.4784729>.

[komu-mitigation]

Komu, M., Tarkoma, S., and A. Lukyanenko, "Mitigation of Unsolicited Traffic Across Domains with Host Identities and Puzzles", 15th Nordic Conference on Secure IT Systems, NordSec 2010, Lecture Notes in Computer Science, Vol. 7127, pp. 33-48, Springer, ISBN 978-3-642-27936-2, DOI 10.1007/978-3-642-27937-9_3, October 2010, <https://doi.org/10.1007/978-3-642-27937-9_3>.

[kovacshazi-host]

Kovacshazi, Z. and R. Vida, "Host Identity Specific Multicast", International Conference on Networking and Services (ICNS '07), Athens, Greece, pp. 1-1, DOI 10.1109/ICNS.2007.66, 2007, <https://doi.org/10.1109/ICNS.2007.66>.

[levae-barriers]

Levä, T., Komu, M., and S. Luukkainen, "Adoption barriers of network layer protocols: the case of host identity protocol", Computer Networks, Vol. 57, Issue 10, pp. 2218-2232, ISSN 1389-1286, DOI 10.1016/j.comnet.2012.11.024, March 2013, <https://doi.org/10.1016/j.comnet.2012.11.024>.

[lindqvist-enterprise]

Lindqvist, J., Vehmersalo, E., Komu, M., and J. Manner, "Enterprise Network Packet Filtering for Mobile Cryptographic Identities", International Journal of Handheld Computing Research (IJHCR), Vol. 1, Issue 1, pp. 79-94, DOI 10.4018/jhcr.2010090905, 2010, <https://doi.org/10.4018/jhcr.2010090905>.

[Nik2001]

Nikander, P., "Denial-of-Service, Address Ownership, and Early Authentication in the IPv6 World", 9th International Workshop on Security Protocols, Security Protocols 2001, Lecture Notes in Computer Science, Vol. 2467, pp. 12-21, Springer, DOI 10.1007/3-540-45807-7_3, 2002, <https://doi.org/10.1007/3-540-45807-7_3>.

[nsrg-report]

Lear, E. and R. Droms, "What's In A Name: Thoughts from the NSRG", Work in Progress, Internet-Draft, draft-irtf-nsrg-report-10, 22 September 2003, <https://datatracker.ietf.org/doc/html/draft-irtf-nsrg-report-10>.

[paine-hip]

Paine, R. H., "Beyond HIP: The End to Hacking As We Know It", BookSurge Publishing, ISBN-10 1439256047, ISBN-13 978-1439256046, 2009.

[pham-leap]

Pham, V. and T. Aura, "Security Analysis of Leap-of-Faith Protocols", 7th International ICST Conference, Security and Privacy for Communication Networks, SecureComm 2011, Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, Vol. 96, DOI 10.1007/978-3-642-31909-9_19, 2012, <https://doi.org/10.1007/978-3-642-31909-9_19>.

[ranjbar-synaptic]

Ranjbar, A., Komu, M., Salmela, P., and T. Aura, "SynAPTIC: Secure and Persistent Connectivity for Containers", 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (CCGRID), Madrid, 2017, pp. 262-267, DOI 10.1109/CCGRID.2017.62, 2017, <https://doi.org/10.1109/CCGRID.2017.62>.

[RFC2136]

Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound, "Dynamic Updates in the Domain Name System (DNS UPDATE)", RFC 2136, DOI 10.17487/RFC2136, April 1997, <https://www.rfc-editor.org/info/rfc2136>.

[RFC2766]

Tsirtsis, G. and P. Srisuresh, "Network Address Translation - Protocol Translation (NAT-PT)", RFC 2766, DOI 10.17487/RFC2766, February 2000, <https://www.rfc-editor.org/info/rfc2766>.

[RFC3022]

Srisuresh, P. and K. Egevang, "Traditional IP Network Address Translator (Traditional NAT)", RFC 3022, DOI 10.17487/RFC3022, January 2001, <https://www.rfc-editor.org/info/rfc3022>.

[RFC3102]

Borella, M., Lo, J., Grabelsky, D., and G. Montenegro, "Realm Specific IP: Framework", RFC 3102, DOI 10.17487/RFC3102, October 2001, <https://www.rfc-editor.org/info/rfc3102>.

[RFC3748]

Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. Levkowetz, Ed., "Extensible Authentication Protocol (EAP)", RFC 3748, DOI 10.17487/RFC3748, June 2004, <https://www.rfc-editor.org/info/rfc3748>.

[RFC3972]

Aura, T., "Cryptographically Generated Addresses (CGA)", RFC 3972, DOI 10.17487/RFC3972, March 2005, <https://www.rfc-editor.org/info/rfc3972>.

[RFC4033]

Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "DNS Security Introduction and Requirements", RFC 4033, DOI 10.17487/RFC4033, March 2005, <https://www.rfc-editor.org/info/rfc4033>.

[RFC4225]

Nikander, P., Arkko, J., Aura, T., Montenegro, G., and E. Nordmark, "Mobile IP Version 6 Route Optimization Security Design Background", RFC 4225, DOI 10.17487/RFC4225, December 2005, <https://www.rfc-editor.org/info/rfc4225>.

[RFC4380]

Huitema, C., "Teredo: Tunneling IPv6 over UDP through Network Address Translations (NATs)", RFC 4380, DOI 10.17487/RFC4380, February 2006, <https://www.rfc-editor.org/info/rfc4380>.

[RFC4423]

Moskowitz, R. and P. Nikander, "Host Identity Protocol (HIP) Architecture", RFC 4423, DOI 10.17487/RFC4423, May 2006, <https://www.rfc-editor.org/info/rfc4423>.

[RFC5218]

Thaler, D. and B. Aboba, "What Makes for a Successful Protocol?", RFC 5218, DOI 10.17487/RFC5218, July 2008, <https://www.rfc-editor.org/info/rfc5218>.

[RFC5338]

Henderson, T., Nikander, P., and M. Komu, "Using the Host Identity Protocol with Legacy Applications", RFC 5338, DOI 10.17487/RFC5338, September 2008, <https://www.rfc-editor.org/info/rfc5338>.

[RFC5887]

Carpenter, B., Atkinson, R., and H. Flinck, "Renumbering Still Needs Work", RFC 5887, DOI 10.17487/RFC5887, May 2010, <https://www.rfc-editor.org/info/rfc5887>.

[RFC6078]

Camarillo, G. and J. Melen, "Host Identity Protocol (HIP) Immediate Carriage and Conveyance of Upper-Layer Protocol Signaling (HICCUPS)", RFC 6078, DOI 10.17487/RFC6078, January 2011, <https://www.rfc-editor.org/info/rfc6078>.

[RFC6250]

Thaler, D., "Evolution of the IP Model", RFC 6250, DOI 10.17487/RFC6250, May 2011, <https://www.rfc-editor.org/info/rfc6250>.

[RFC6281]

Cheshire, S., Zhu, Z., Wakikawa, R., and L. Zhang, "Understanding Apple's Back to My Mac (BTMM) Service", RFC 6281, DOI 10.17487/RFC6281, June 2011, <https://www.rfc-editor.org/info/rfc6281>.

[RFC6317]

Komu, M. and T. Henderson, "Basic Socket Interface Extensions for the Host Identity Protocol (HIP)", RFC 6317, DOI 10.17487/RFC6317, July 2011, <https://www.rfc-editor.org/info/rfc6317>.

[RFC6537]

Ahrenholz, J., "Host Identity Protocol Distributed Hash Table Interface", RFC 6537, DOI 10.17487/RFC6537, February 2012, <https://www.rfc-editor.org/info/rfc6537>.

[RFC6538]

Henderson, T. and A. Gurtov, "The Host Identity Protocol (HIP) Experiment Report", RFC 6538, DOI 10.17487/RFC6538, March 2012, <https://www.rfc-editor.org/info/rfc6538>.

[RFC7296]

Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. Kivinen, "Internet Key Exchange Protocol Version 2 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 2014, <https://www.rfc-editor.org/info/rfc7296>.

[RFC7435]

Dukhovni, V., "Opportunistic Security: Some Protection Most of the Time", RFC 7435, DOI 10.17487/RFC7435, December 2014, <https://www.rfc-editor.org/info/rfc7435>.

[sarela-bloom]

Särelä, M., Esteve Rothenberg, C., Zahemszky, A., Nikander, P., and J. Ott, "BloomCasting: Security in Bloom Filter Based Multicast", Information Security Technology for Applications, NordSec 2010, Lecture Notes in Computer Science, Vol. 7127, pages 1-16, Springer, DOI 10.1007/978-3-642-27937-9_1, 2012, <https://doi.org/10.1007/978-3-642-27937-9_1>.

[schuetz-intermittent]

Schütz, S., Eggert, L., Schmid, S., and M. Brunner, "Protocol enhancements for intermittently connected hosts", ACM SIGCOMM Computer Communication Review, Vol. 35, Issue 3, pp. 5-18, DOI 10.1145/1070873.1070875, July 2005, <https://doi.org/10.1145/1070873.1070875>.

[shields-hip]

Shields, C. and J. J. Garcia-Luna-Aceves, "The HIP protocol for hierarchical multicast routing", Proceedings of the seventeenth annual ACM symposium on Principles of distributed computing, pp. 257-266, ISBN 0-89791-977-7, DOI 10.1145/277697.277744, 1998, <https://doi.org/10.1145/277697.277744>.

[tempered-networks]

Tempered Networks, "Identity-Defined Network (IDN) Architecture: Unified, Secure Networking Made Simple", White Paper, 2016.

[tritilanunt-dos]

Tritilanunt, S., Boyd, C., Foo, E., and J.M.G. Nieto, "Examining the DoS Resistance of HIP", On the Move to Meaningful Internet Systems 2006: OTM 2006 Workshops, Lecture Notes in Computer Science, Vol. 4277, pp. 616-625, Springer, DOI 10.1007/11915034_85, 2006, <https://doi.org/10.1007/11915034_85>.

[urien-rfid]

Urien, P., Chabanne, H., Pepin, C., Orga, S., Bouet, M., de Cunha, D.O., Guyot, V., Pujolle, G., Paradinas, P., Gressier, E., and J.-F. Susini, "HIP-based RFID Networking Architecture", 2007 IFIP International Conference on Wireless and Optical Communications Networks, pp. 1-5, DOI 10.1109/WOCN.2007.4284140, 2007, <https://doi.org/10.1109/WOCN.2007.4284140>.

[urien-rfid-draft]

Urien, P., Lee, G. M., and G. Pujolle, "HIP support for RFIDs", Work in Progress, Internet-Draft, draft-irtf-hiprg-rfid-07, 23 April 2013, <https://datatracker.ietf.org/doc/html/draft-irtf-hiprg-rfid-07>.

[varjonen-split]

Varjonen, S., Komu, M., and A. Gurtov, "Secure and Efficient IPv4/IPv6 Handovers Using Host-Based Identifier-Location Split", Journal of Communications Software and Systems, Vol. 6, Issue 1, ISSN 18456421, DOI 10.24138/jcomss.v6i1.193, 2010, <https://doi.org/10.24138/jcomss.v6i1.193>.

[xin-hip-lib]

Xin, G., "Host Identity Protocol Version 2.5", Master's Thesis, Aalto University, Espoo, Finland, June 2012.

[ylitalo-diss]

Ylitalo, J., "Secure Mobility at Multiple Granularity Levels over Heterogeneous Datacom Networks", Dissertation, Helsinki University of Technology, Espoo, Finland, ISBN 978-951-22-9531-9, 2008.

[ylitalo-spinat]

Ylitalo, J., Salmela, P., and H. Tschofenig, "SPINAT: Integrating IPsec into Overlay Routing", First International Conference on Security and Privacy for Emerging Areas in Communication Networks, SECURECOMM'05, Athens, Greece, pp. 315-326, ISBN 0-7695-2369-2, DOI 10.1109/SECURECOMM.2005.53, 2005, <https://doi.org/10.1109/SECURECOMM.2005.53>.

[zhang-revocation]

Zhang, D., Kuptsov, D., and S. Shen, "Host Identifier Revocation in HIP", Work in Progress, Internet-Draft, draft-irtf-hiprg-revocation-05, 9 March 2012, <https://datatracker.ietf.org/doc/html/draft-irtf-hiprg-revocation-05>.

[zhu-hip]

Zhu, X., Ding, Z., and X. Wang, "A Multicast Routing Algorithm Applied to HIP-Multicast Model", 2011 International Conference on Network Computing and Information Security, Guilin, China, pp. 169-174, DOI 10.1109/NCIS.2011.42, 2011, <https://doi.org/10.1109/NCIS.2011.42>.

[zhu-secure]

Zhu, X. and J. W. Atwood, "A Secure Multicast Model for Peer-to-Peer and Access Networks Using the Host Identity Protocol", 2007 4th IEEE Consumer Communications and Networking Conference, Las Vegas, NV, USA, pages 1098-1102, DOI 10.1109/CCNC.2007.221, 2007, <https://doi.org/10.1109/CCNC.2007.221>.

A.2. Drawbacks of HIP

In computer science, many problems can be solved with an extra layer of indirection. However, the indirection always involves some costs as there is no such a thing as a "free lunch". In the case of HIP, the main costs could be stated as follows:¶

Related to deployment drawbacks, firewalls are commonly used to control access to various services and devices in the current Internet. Since HIP introduces an additional namespace, it is expected that the HIP namespace would be filtered for unwanted connectivity also. While this can be achieved with existing tools directly in the end-hosts, filtering at the middleboxes requires modifications to existing firewall software or additional middleboxes [RFC6538].¶

The key exchange introduces some extra latency (two round trips) in the initial transport-layer connection establishment between two hosts. With TCP, additional delay occurs if the underlying network stack implementation drops the triggering SYN packet during the key exchange. The same cost may also occur during HIP handoff procedures. However, subsequent TCP sessions using the same HIP association will not bear this cost (within the key lifetime). Both the key exchange and handoff penalties can be minimized by caching TCP packets. The latter case can further be optimized with TCP user timeout extensions [RFC5482] as described in further detail by Schütz et al. [schuetz-intermittent].¶

The most CPU-intensive operations involve the use of the asymmetric keys and Diffie-Hellman key derivation at the control plane, but this occurs only during the key exchange, its maintenance (handoffs and refreshing of key material), and teardown procedures of HIP associations. The data plane is typically implemented with ESP because it has a smaller overhead due to symmetric key encryption. Naturally, even ESP involves some overhead in terms of latency (processing costs) and throughput (tunneling) (see, e.g., [ylitalo-diss] for a performance evaluation).¶

A.3. Deployment and Adoption Considerations

This section describes some deployment and adoption considerations related to HIP from a technical perspective.¶

A.4. Answers to NSRG Questions

The IRTF Name Space Research Group has posed a number of evaluating questions in their report [nsrg-report]. In this section, we provide answers to these questions.¶