Host Identity Protocol

The Host Identity Protocol (HIP) is a host identification technology for use on Internet Protocol (IP) networks, such as the Internet. The Internet has two main name spaces, IP addresses and the Domain Name System. HIP separates the end-point identifier and locator roles of IP addresses. It introduces a Host Identity (HI) name space, based on a public key security infrastructure.^[1]

The Host Identity Protocol provides secure methods for IP multihoming and mobile computing.^[1]

In networks that implement the Host Identity Protocol, all occurrences of IP addresses in applications are eliminated and replaced with cryptographic host identifiers. The cryptographic keys are typically, but not necessarily, self-generated.

The effect of eliminating IP addresses in application and transport layers is a decoupling of the transport layer from the internetworking layer (Internet Layer) in TCP/IP.^[2]

HIP was specified in the IETF HIP working group. An Internet Research Task Force (IRTF) HIP research group looks at the broader impacts of HIP.^[3]

The working group is chartered to produce Requests for Comments on the "Experimental" track, but it is understood that their quality and security properties should match the standards track requirements. The main purpose for producing Experimental documents instead of standards track ones are the unknown effects that the mechanisms may have on applications and on the Internet in the large.

Version 2

Host Identity Protocol version 2 (HIPv2) is the second iteration of HIP, specified in RFC 7401 in 2015. It replaces the original protocol defined in RFC 5201 and updates the cryptographic algorithms, packet format, and key exchange procedures.^[4] Like the original specification, HIPv2 separates the identifier and locator roles of IP addresses by introducing a cryptographic host identity namespace.^[1]

Security

Each host in HIPv2 is identified by a Host Identifier (HI) derived from a public key, with the Host Identity Tag (HIT) serving as a fixed-length representation suitable for use in protocols expecting an IPv6 address. HIPv2 mandates support for elliptic curve cryptography (ECDSA and ECDH) in addition to RSA, and includes mechanisms to mitigate denial-of-service attacks through a cryptographic puzzle exchanged during the base exchange.^[4] Data traffic between HIP hosts is typically protected using the Encapsulating Security Payload (ESP) transport format, specified in RFC 7402.^[5]

Mobility and multihoming

HIP supports host mobility by allowing a host to update its locator (IP address) without breaking ongoing transport-layer connections, since those connections are bound to the Host Identity rather than to an IP address. Mobility procedures are defined in RFC 8046.^[6] Multihoming, where a host maintains simultaneous reachability via several locators, is defined in a companion specification, RFC 8047.^[7]

RFC references

RFC 4423 - Host Identity Protocol (HIP) Architecture (early "informational" snapshot, obsoleted by RFC 9063)
RFC 5201 - Host Identity Protocol base (Obsoleted by RFC 7401)
RFC 5202 - Using the Encapsulating Security Payload (ESP) Transport Format with the Host Identity Protocol (HIP) (Obsoleted by RFC 7402)
RFC 5203 - Host Identity Protocol (HIP) Registration Extension (obsoleted by RFC 8003)
RFC 5204 - Host Identity Protocol (HIP) Rendezvous Extension (obsoleted by RFC 8004)
RFC 5205 - Host Identity Protocol (HIP) Domain Name System (DNS) Extension (obsoleted by RFC 8005)
RFC 5206 - End-Host Mobility and Multihoming with the Host Identity Protocol
RFC 5207 - NAT and Firewall Traversal Issues of Host Identity Protocol (HIP) Communication
RFC 6092 - Basic Requirements for IPv6 Customer Edge Routers
RFC 7401 - Host identity protocol version 2 (HIPv2) (updated by RFC 8002)
RFC 7402 - Using the Encapsulating Security Payload (ESP) transport format with the Host Identity Protocol (HIP)
RFC 8002 - Host Identity Protocol Certificates
RFC 8003 - Host Identity Protocol (HIP) Registration Extension
RFC 8004 - Host Identity Protocol (HIP) Rendezvous Extension
RFC 8005 - Host Identity Protocol (HIP) Domain Name System (DNS) Extension
RFC 8046 - Host Mobility with the Host Identity Protocol
RFC 8047 - Host Multihoming with the Host Identity Protocol
RFC 9028 - Native NAT Traversal Mode for the Host Identity Protocol
RFC 9063 - Host Identity Protocol Architecture

References

^ ^a ^b ^c Moskowitz, R.; Komu, M. (July 2021). Host Identity Protocol Architecture. Internet Engineering Task Force. doi:10.17487/RFC9063. RFC 9063.
^ Moskowitz, R.; Nikander, P. (May 2006). Host Identity Protocol (HIP) Architecture. Internet Engineering Task Force. sec. 4.1. doi:10.17487/RFC4423. RFC 4423.
^ "Host Identity Protocol (hip)". IETF Datatracker. Retrieved 2024-09-15.
^ ^a ^b Moskowitz, R.; Heer, T.; Jokela, P.; Henderson, T. (April 2015). Host Identity Protocol Version 2 (HIPv2). Internet Engineering Task Force. doi:10.17487/RFC7401. RFC 7401.
^ Jokela, P.; Moskowitz, R.; Melén, J. (April 2015). Using the Encapsulating Security Payload (ESP) Transport Format with the Host Identity Protocol (HIP). Internet Engineering Task Force. doi:10.17487/RFC7402. RFC 7402.
^ Henderson, T.; Vogt, C.; Arkko, J. (February 2017). Host Mobility with the Host Identity Protocol. Internet Engineering Task Force. doi:10.17487/RFC8046. RFC 8046.
^ Henderson, T.; Vogt, C.; Arkko, J. (February 2017). Host Multihoming with the Host Identity Protocol. Internet Engineering Task Force. doi:10.17487/RFC8047. RFC 8047.

External links

IETF HIP working group
IRTF HIP research group
OpenHIP project
How HIP works - InfraHIP project archive
HIP simulation framework for OMNeT++. Archived 2019-06-28 at the Wayback Machine

[RFC9063-1] Moskowitz, R.; Komu, M. (July 2021). Host Identity Protocol Architecture. Internet Engineering Task Force. doi:10.17487/RFC9063. RFC 9063.

[2] Moskowitz, R.; Nikander, P. (May 2006). Host Identity Protocol (HIP) Architecture. Internet Engineering Task Force. sec. 4.1. doi:10.17487/RFC4423. RFC 4423.

[3] "Host Identity Protocol (hip)". IETF Datatracker. Retrieved 2024-09-15.

[RFC7401-4] Moskowitz, R.; Heer, T.; Jokela, P.; Henderson, T. (April 2015). Host Identity Protocol Version 2 (HIPv2). Internet Engineering Task Force. doi:10.17487/RFC7401. RFC 7401.

[5] Jokela, P.; Moskowitz, R.; Melén, J. (April 2015). Using the Encapsulating Security Payload (ESP) Transport Format with the Host Identity Protocol (HIP). Internet Engineering Task Force. doi:10.17487/RFC7402. RFC 7402.

[6] Henderson, T.; Vogt, C.; Arkko, J. (February 2017). Host Mobility with the Host Identity Protocol. Internet Engineering Task Force. doi:10.17487/RFC8046. RFC 8046.

[7] Henderson, T.; Vogt, C.; Arkko, J. (February 2017). Host Multihoming with the Host Identity Protocol. Internet Engineering Task Force. doi:10.17487/RFC8047. RFC 8047.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

v t e Authentication
Authentication APIs	BSD Authentication (BSD Auth) eAuthentication (eAuth) Generic Security Services API (GSSAPI) Java Authentication and Authorization Service (JAAS) Pluggable Authentication Modules (PAM) Simple Authentication and Security Layer (SASL) Security Support Provider Interface (SSPI) XCert Universal Database API (XUDA)
Authentication protocols	ACF2 Authentication and Key Agreement (AKA) CAVE-based authentication Challenge-Handshake Authentication Protocol (CHAP) MS-CHAP Central Authentication Service (CAS) CRAM-MD5 Diameter Extensible Authentication Protocol (EAP) Host Identity Protocol (HIP) IndieAuth Kerberos LAN Manager NT LAN Manager (NTLM) OAuth OpenID OpenID Connect (OIDC) Password-authenticated key agreement protocols Password Authentication Protocol (PAP) Protected Extensible Authentication Protocol (PEAP) Remote Access Dial In User Service (RADIUS) Resource Access Control Facility (RACF) Secure Remote Password protocol (SRP) TACACS Woo–Lam
Category Commons