HIP Secure Service Discovery

Leo Bhebhe
Helsinki University of Technology
Department Of Computer Science
leo.bhebhe@nokia.com

T-110.7190 Research Seminar on telecom software/29.11.2005/LB

CONTENTS
Introduction
Services
Service Discovery System
Service Discovery Protocols
Service Discovery mechanism
Security Concerns
Host Identity Protocol
Name Resolution
Secure-i3
HI3
Shortcoming of HIP
Conclusion
T-110.7190 Research Seminar on telecom software/29.11.2005/LB

Introduction
What is a service?
A service is a component or application that performs the work on behalf of a
requesting application or client

T-110.7190 Research Seminar on telecom software/29.11.2005/LB

Services
Offered by networks in distributed systems, e.g. those offered by

printers,
copiers,
scanners,
fax machines,

Internet service providers, e.g.

conversational (e.g. voice over IP),

streaming (video+music),
interactive (e.g. gaming)
background (e.g. e-mail delivery)

Information services
Nearest Pizza hut , weather forecast, todays flight schedule
Transport services in case of emergency (e.g. car break down, lost in the wild, coast guard
help, taxi)

Payment services
Etc
T-110.7190 Research Seminar on telecom software/29.11.2005/LB

Service Discovery System

Allow users and their devices to discover services over any specific underlying
networking technology (e.g., cellular systems, wireless local area networks,
DSL)
Independent of the underlying networking technologies so that it can support
heterogeneous and changing network technologies.
Not be limited to only the traditional client-server based systems.
May be realized using peer-to-peer technologies or a combination of clientserver and peer-to-peer technologies

T-110.7190 Research Seminar on telecom software/29.11.2005/LB

SDPs & Security Features Solutions.

SLPv2

Jini

UPnP

Salutation Bluetooth

Message Encription

Symetric
(SSL/TLS)

Symetric

Key Exchange

Asymetric
(SSL/TLS)

Plain text

Authroization

Digital signitures
X.509

e.g. UPnP, SLP are built on top of the TCP/IP protocol stack

T-110.7190 Research Seminar on telecom software/29.11.2005/LB

Password

UPnP
Application
Application(HTTP,SMTP)

Application(HTTP,SMTP)

HTTP (extension)

Transport(TCP,UDP)

Transport(TCP,UDP)

UPnP

Network(IP)

Host Identity

Link(Ethernet,PPP)

Network(IP)

Physical

Link(Ethernet,PPP)

UPnP API

Physical
e.g. UPnP, SLP are built on top of the TCP/IP protocol stack
Adding a waist to the protocol may give it some basic security
T-110.7190 Research Seminar on telecom software/29.11.2005/LB

Service Discovery Mechanism

Knowledge of services
Search for services involves two steps
DNS name resolution of end host
Contacting the host directly for data/service
Concern
DNS resolution time (typical resolution time O (log n))
Security: data integrity, i.e. no else can change the resolution of an entitys
name, DoS

Retrieval of data and service [Registration & authentication]

Secure data transmission or service provision

T-110.7190 Research Seminar on telecom software/29.11.2005/LB

Security
The discovery function is a source of security concern
Security is an integral part of service discovery
Denial of service attacks (DOS) or distributed Denial of service attacks (DDOS)
Confidentiality and integrity in service discovery are primary for
communication security
Security needs will vary from application to application

T-110.7190 Research Seminar on telecom software/29.11.2005/LB

Host Identity Protocol

New cryptographic identifiers

Host Identities (Public key of a asymmetric key pair)
Host Identity Tags (128 bits) - A hash of the HI
IP addresses as locators
An authentication and key exchange protocol
IPsec ESP transport mode for data traffic security.
T-110.7190 Research Seminar on telecom software/29.11.2005/LB

Bindings in the current and new architecture

Naming endpoints with HIs provide natural solutions for mobility and multipoint
If an endpoint identified by HI[i] changes its IP address, the host identity layer on
the peer of the endpoint will re-resolve HI[i] to find a new IP address.
T-110.7190 Research Seminar on telecom software/29.11.2005/LB

HIP Base Exchange

Initiator

Responder

I1: trigger exchange [HITI, HITR ]

R1: HITR, HITI puzzle, DHR, PKR, Sig

I2: HITI, HITR, SPII, solution, DHI, {PKI}, Sig

R2: HITR, HITI, SPIR, Sig

ESP protected message

T-110.7190 Research Seminar on telecom software/29.11.2005/LB

Name Resolution
DNS
2. <FQDN>
1. <FQDN>

Application

Resolver

ED [HI, Address] 6. <ED>

5. <ED>

Socket layer
HIs in the DNS
DNS query asks for addresses and HITs
Requires one to have a DNS name
HITs not resolvable due to name space being flat
DNS resolution time
Possible DoS Attacks (knowledge of DNS IP add)

T-110.7190 Research Seminar on telecom software/29.11.2005/LB

3. <HI, Addresses>

Transport
HIP
IPSec
Network

4. <HI, Addresses>

HIP With Rendezvous Server

Mappings are registered at the
DNS
Update of IP(R) at RVS, if IP(R)
changes

FQDN (R)->HI(R)
FQDN (R)->)->IP(RVS)

2. HI(R), IP(RVS).

1. Query FQDN(R)

DNS
HI(R)->IP(R)
RVS
1
3. I

P (R
to I

VS)

4. I
1 to
IP(R
)

5. R1
6. I2 to IP(R)
7. R2

Initiator

T-110.7190 Research Seminar on telecom software/29.11.2005/LB

Receiver

Secure Internet Indirection Infrastructure (i3)

receiver

Data packet
ID

DATA

initiator

Trigger
ID

ADDR

ADDR=IP or Identifier

IP router
i3 node

istoica@cs.berkeley.edu

Add an efficient indirection layer on top of IP

Use an overlay network to implement it
Incrementally deployable; no need to change IP
When initiator acquires and ID from DNS, it sends the packets with the ID to the
closest i3 node.
The i3 nodes searches for the particular trigger (id, addr) and send the packets to
the receiver
T-110.7190 Research Seminar on telecom software/29.11.2005/LB

DOS Prevention Mechanism (Secure-i3)

I3 server
storing the
public id
pubid

I3 server
storing the
private id

privid

privid

IP router
i3 node

1.

Send (pubid, data) to i3 server storing public key

2.

i3 server storing public key sends (privid, data) to I3 server storing the private id

3.

i3 server storing the private id send (R, data) to the receiver R

4.

Receiver sends back to i3 server storing the private id (S, data) + privid

5.

i3 server storing the private id sends to sender (S, data) + privid

6.

The initiator then sends (privid, data) to I3 server storing the private id

7.

i3 server storing the private id then forwards (R, data) to receiver

T-110.7190 Research Seminar on telecom software/29.11.2005/LB

Host Internet Indirection Infrastructure (HI3)

I3 server storing
public triggers
FQDN (R)->HI(R)

3. I1

FQDN (R)->)->IP(RVS)

4. R1

]
ge
r
tri
g

6.
R2

I2

at

I1

5.

I2

iv

3.

5.

6.

R2

5.

[p
r
R1
4.

2. HIT, Address.

1. Query FQDN(R)

DNS

I3 server storing
private triggers

I2

6.
R2

IPsec Data Traffic

Initiator

In HI3, the HIT can act as a trigger.

T-110.7190 Research Seminar on telecom software/29.11.2005/LB

Receiver

Shortcoming of HIP
HIP alone cannot provide full security. Theres a need to provide other
architectures and network elements to provide the required security
DNS to store His identities and provide a mapping to the current IP interface
addresses
Rendezvous Server
Problems with NATs
Problems with Firewalls

HIP + Secure-i3 = Better DoS protection than HIP

End-to-End security (privacy)
Simultaneous Mobility support using middleboxes instead of RVS or i3 server
HI3 aware NAT/FWs

T-110.7190 Research Seminar on telecom software/29.11.2005/LB

Problems with NATs

IPv6 and IPv4 using IP payload do not work with current (multiplexing) NATs
NATs do create state for TCP/UDP ports and ICMP codes
They need to be extended to do the same for HITs
Would work well with non-multiplexing (IPv6) NATs
IPv4 over UDP works, but not if source port is fixed (to 272)

Firewalls and NATs block applications that choose port numbers dynamically
Solution
UDP encapsulation (some Firewalls block UDP)
Intercept the flow id during Initial stages

T-110.7190 Research Seminar on telecom software/29.11.2005/LB

HI3 aware NAT/FWs

HI3 aware NAT/FWs are needed
to support simultaneous mobility
Secure Trigger Insertion mechanism
Intercept the flow identifier during base exchange
Authenticate requesting HI3 nodes before creating a NAT binding or FW pinhole
Authorize the requesting HI3 nodes
DoS attack resistance

T-110.7190 Research Seminar on telecom software/29.11.2005/LB

QoS
Service ability aims at explaining how well to serve a customer
Service discovery mechanisms lack the ability to discover and negotiate the
QoS services supported by devices or required by users
QoS service verification
Users experience
Your friends knowledge

Resolution service providers

Form a competitive economic model cooperating market much like ISPs
Incentives would come from how well the processed their customers

T-110.7190 Research Seminar on telecom software/29.11.2005/LB

Conclusion
The Host identity Protocol (HIP) uses cryptographic host identities to provide secure and efficient
end-to-end communication without requiring a distributed key authority. However HIP can be
vulnerable to attacks and requires some infrastructures like secure-i3, HI3 aware NAT/FWs to
support a secure service discovery.
For HIP to be used for dynamic service discovery in a heterogeneous network lot of protocols need
to be changed to support HIP and terminals just like the heterogeneous networks need to be HIP
aware.
Its possible to implement, but requires joint forces from all governments to make this happen and
as usual a good business case should substantiate the need.
Currently HIP is undergoing tests and specification and its too early to think about its deployment.
However, the HI3 infrastructure looks promising as compared to the current Internet. However,
functionalities like multicast, anycast and service composition are still an issue and needs further
work.

T-110.7190 Research Seminar on telecom software/29.11.2005/LB