[Docs] [txt|pdf] [Tracker] [Email] [Nits]
Versions: 00
Network Working Group L. Eggert
Internet-Draft NEC
Expires: January 10, 2005 J. Laganier
LIP / Sun Microsystems
July 12, 2004
Host Identity Protocol (HIP) Rendezvous Extensions
draft-eggert-hip-rvs-00
Status of this Memo
By submitting this Internet-Draft, I certify that any applicable
patent or other IPR claims of which I am aware have been disclosed,
and any of which I become aware will be disclosed, in accordance with
RFC 3668.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 10, 2005.
Copyright Notice
Copyright (C) The Internet Society (2004). All Rights Reserved.
Abstract
This document discusses rendezvous extensions for the Host Identity
Protocol (HIP). Rendezvous mechanisms extend HIP for communication
with HIP Rendezvous Servers. Rendezvous Servers improve operation
when HIP nodes are multi-homed or mobile. The first part of his
document motivates the need for rendezvous mechanisms; the second
part describes the protocol extensions in detail.
Eggert & Laganier Expires January 10, 2005 [Page 1]
Internet-Draft HIP Rendezvous Extensions July 2004
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Communication Between HIP Nodes . . . . . . . . . . . . . . . 5
3. Communication Between Mobile or Multi-Homed HIP Nodes . . . . 7
3.1 Mobility and Multi-Homing with DNS Updates . . . . . . . . 7
3.2 Mobility and Multi-Homing with Rendezvous Servers . . . . 8
4. HIP Extensions for Rendezvous Servers . . . . . . . . . . . . 10
4.1 Additional Control Fields in the HIP Base Header . . . . . 10
4.1.1 RVS Control Field . . . . . . . . . . . . . . . . . . 10
4.1.2 CONCEAL_IP Control Field . . . . . . . . . . . . . . . 10
4.2 Additional HIP Parameters for Communication with
Rendezvous Servers . . . . . . . . . . . . . . . . . . . . 11
4.2.1 RVA_REQUEST Parameter Format and Processing . . . . . 11
4.2.2 RVA_REPLY Parameter Format and Processing . . . . . . 11
4.2.3 RVA_HMAC Parameter Format and Processing . . . . . . . 12
4.2.4 FROM Parameter Format and Processing . . . . . . . . . 13
4.2.5 TO Parameter Format and Processing . . . . . . . . . . 14
4.2.6 VIA_RVS Parameter Format and Processing . . . . . . . 15
4.3 Use of Existing HIP Messages and Parameters . . . . . . . 15
4.3.1 ECHO_REQUEST and ECHO_REPLY Parameters . . . . . . . . 15
4.3.2 REA Parameter . . . . . . . . . . . . . . . . . . . . 16
4.3.3 NES Parameter . . . . . . . . . . . . . . . . . . . . 16
5. Diagram Notation . . . . . . . . . . . . . . . . . . . . . . . 17
6. Establishing Rendezvous Associations . . . . . . . . . . . . . 17
7. Establishing HIP Associations via Rendezvous Servers . . . . . 19
7.1 Sending a Redirect in Reply to I1 . . . . . . . . . . . . 19
7.2 Relaying I1 Only . . . . . . . . . . . . . . . . . . . . . 20
7.2.1 Passing I1 Through an ESP SA . . . . . . . . . . . . . 20
7.2.2 Rewriting I1 Destination IP Address . . . . . . . . . 21
7.2.3 Rewriting I1 Source and Destination IP Addresses . . . 22
7.3 Relaying Additional HIP Packets . . . . . . . . . . . . . 23
7.3.1 Concealing the Responder IP Address . . . . . . . . . 24
7.3.2 Concealing the Initiator IP Address . . . . . . . . . 25
7.3.3 Concealing Initiator and Responder IP Addresses . . . 26
7.4 Cascading Rendezvous Servers . . . . . . . . . . . . . . . 27
7.5 Opportunistic Initiators . . . . . . . . . . . . . . . . . 29
7.6 Implication on the HIP integrity checks . . . . . . . . . 29
7.6.1 Checksum . . . . . . . . . . . . . . . . . . . . . . . 29
7.6.2 HMAC and SIGNATURE . . . . . . . . . . . . . . . . . . 29
7.6.3 Example . . . . . . . . . . . . . . . . . . . . . . . 29
8. Security Considerations . . . . . . . . . . . . . . . . . . . 30
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 30
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 30
10.1 Normative References . . . . . . . . . . . . . . . . . . . . 30
10.2 Informative References . . . . . . . . . . . . . . . . . . . 31
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 31
A. Document Revision History . . . . . . . . . . . . . . . . . . 32
Eggert & Laganier Expires January 10, 2005 [Page 2]
Internet-Draft HIP Rendezvous Extensions July 2004
Intellectual Property and Copyright Statements . . . . . . . . 33
Eggert & Laganier Expires January 10, 2005 [Page 3]
Internet-Draft HIP Rendezvous Extensions July 2004
1. Introduction
The current Internet uses two global namespaces: domain names and IP
addresses. The Domain Name System (DNS) provides a two-way lookup
service between the two [1]. Domain names are symbolic identifiers
for sets of IP addresses.
IP addresses have two uses. First, they are topological locators for
network attachment points. Second, they act as names for the
attached network interfaces. Saltzer [10] discusses these naming
concepts in detail.
Routing and other network-layer mechanisms are based on the locator
aspects of IP addresses. Transport-layer protocols and mechanisms
typically use IP addresses in their role as names for communication
endpoints.
This dual use of IP addresses limits the flexibility of the Internet
architecture. The need to avoid readdressing in order to maintain
existing transport-layer connections complicates advanced
functionality, such as mobility, multi-homing, or network
composition.
The Host Identity Protocol (HIP) architecture [2] defines a new third
namespace. The Host Identity namespace decouples the name and
locator roles currently filled by IP addresses. Instead of mapping
domain names directly into IP addresses, HIP maps domain names into
Host Identities, and Host Identities into IP addresses.
Transport-layer mechanisms operate on Host Identities instead of
using IP addresses as endpoint names. Network-layer mechanisms
continue to use IP addresses as pure locators.
Without HIP, nodes establish transport-layer connections by first
looking up the fully-qualified domain name (FQDN) of a peer in the
DNS. A successful DNS lookup returns the peer's IP addresses. A
node uses one of the returned IP addresses to initiate
transport-layer communication with a peer node.
HIP nodes will also look up the domain name of desired peers in the
DNS. When a successful lookup includes a peer's Host Identities, HIP
nodes perform a HIP Base Exchange before establishing transport-layer
connections. The HIP Base Exchange authenticates the end hosts and
can bootstrap encryption of the subsequent communication with IPsec
[11]. The HIP specification [3] discusses the details of the Base
Exchange and the related protocol exchanges.
After the Base Exchange, HIP nodes use Host Identities instead of IP
addresses for transport-layer connections with a peer. The HIP layer
Eggert & Laganier Expires January 10, 2005 [Page 4]
Internet-Draft HIP Rendezvous Extensions July 2004
in the network stack internally translates Host Identities (HI) into
network-layer IP addresses. This additional mapping between Host
Identities and IP addresses (HI->IP) is logically separate from the
first mapping between fully-qualified domain names and Host
Identities (FQDN->HI).
For application and transport-layer compatibility, the FQDN->HI
mapping must remain in the DNS. However, the HI->IP mapping is
internal to the HIP layer and may be performed in a number of ways.
Different lookup mechanism may support communication between two
mobile or multi-homed HIP nodes better [4].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [5].
2. Communication Between HIP Nodes
In the current Internet, the DNS provides a FQDN->IP mapping. With
HIP, it must continue to provide a mapping based on domain names.
This allows transport-layer connections to bind to Host Identities
instead of IP addresses transparently.
Instead of mapping domain names directly into IP addresses
(FQDN->IP), with HIP the DNS maps them to Host Identities (FQDN->HI).
In a second step, another lookup that is internal to the HIP-layer
translates the Host Identities into IP addresses for network-layer
delivery (HI->IP).
Several alternative approaches are possible for maintaining the
HI->IP information. The DNS can maintain this mapping along with the
FQDN->HI mapping. Alternatively, a database separate from the DNS
can manage this information. This section discusses the different
approaches and their implications on communication between two HIP
nodes.
The HIP architecture and protocol specifications suggest storing Host
Identities along with a node's IP addresses in the DNS [2][3]. The
index for both tables will be domain names. Logically, the DNS will
thus contain two separate mappings: FQDN->HI and FQDN->IP.
Figure 1 shows the lookup steps and HIP Base Exchange when a node's
Host Identities are stored alongside its IP addresses. In step #1,
the initiator I performs a DNS lookup on R's domain name FQDN(R).
The DNS server responds with both R's Host Identities HI(R) and its
IP addresses IP(R) in step #2.
The initiator I uses both pieces of information to perform the HIP
Eggert & Laganier Expires January 10, 2005 [Page 5]
Internet-Draft HIP Rendezvous Extensions July 2004
Base Exchange with R in step #3. (The details of the Base Exchange,
specified in [3], are not relevant to this discussion and will thus
be omitted.)
#1 FQDN(R) +----------+
+-------------------->| DNS |
| +-------------------| |
| | #2 HI(R), IP(R) | FQDN->HI |
| | | FQDN->IP |
| | +----------+
| V
+-----+ #3 HIP Base Exchange +-----+
| |-------------------------------->| |
| I |<--------------------------------| R |
| |-------------------------------->| |
| |<--------------------------------| |
+-----+ +-----+
Figure 1: HIP Lookup and Base Exchange
Note that the DNS does not currently store the HI->IP mapping
directly. Instead, a DNS lookup on a domain name returns both its
FQDN->HI and FQDN->IP entries. The HIP stack then implicitly
constructs the HI->IP mapping based on the HI and IP information
returned by the DNS lookup. In the example in Figure 1, the FQDN(R)
lookup in step #1 returns both HI(R) and IP(R) in step #2. HIP
implicitly constructs the HI(R)->IP(R) mapping based on the
assumption that HI(R) is reachable at IP(R).
One disadvantage of this approach is that a node's domain name is
required to obtain both its Host Identities and its IP addresses.
Even if a HIP node already knows the Host Identity of a HIP peer
through other means, it cannot currently obtain the peer's IP
addresses through the DNS. The DNS does not maintain an explicit
HI->IP table, but instead indexes Host Identities only by domain
names.
A reverse HI->FQDN DNS mapping could address this limitation. HIP
nodes would then look up a HIP peer's domain name through its Host
Identity. They would then use the returned domain name to find the
peer's IP addresses in a second lookup. However, the DNS may not be
structurally suited to maintain the reverse HIP->FQDN mapping. As
the main Internet-wide database, the DNS is already being overloaded
with functionality that might be better handled with new mechanisms
[12]. Finally, the additional reverse lookup would increase the
latency of the HIP Base Exchange.
Eggert & Laganier Expires January 10, 2005 [Page 6]
Internet-Draft HIP Rendezvous Extensions July 2004
3. Communication Between Mobile or Multi-Homed HIP Nodes
HIP decouples domain names from IP addresses. Because transport
protocols bind to Host Identities, they remain unaware if the set of
IP addresses associated with a Host Identity changes. This change
can have various reasons, including, but not limited to, mobility and
multi-homing.
Proposed extensions for mobility and multi-homing [4] allow a HIP
node to notify its peers about changes in its set of IP addresses.
These extensions require an established HIP association between two
nodes, i.e., a completed HIP Base Exchange.
In addition to notifying its current peers about changes in its IP
addresses, a HIP node must also update its HI->IP mapping in response
to IP address changes. Otherwise, HIP Base Exchanges from new peers
could fail because they try to contact the node at an IP address it
is no longer reachable at.
3.1 Mobility and Multi-Homing with DNS Updates
If the DNS indirectly maintains the HI->IP mapping in a FQDN->IP
table, nodes can dynamically update their DNS entry in a secure
fashion [6][7]. The DNS server maintaining the information will then
sign and distribute the updated zone.
#2 FQDN(R) +----------+
+-------------------->| DNS |
| +-------------------| |<------+
| | #3 HI(R), IP(R) | FQDN->HI | | #1 Update
| | | FQDN->IP | | FQDN(R)->IP(R)
| | +----------+ | whenever IP(R)
| V | changes.
+-----+ #4 HIP Base Exchange +-----+
| |-------------------------------->| |
| I |<--------------------------------| R |
| |-------------------------------->| |
| |<--------------------------------| |
+-----+ +-----+
Figure 2: HIP Lookup and Base Exchange with DNS Updates
Figure 2 shows an example of this scenario. In step #1, R registers
its FQDN(R)->IP(R) entry in the DNS. It will dynamically update the
DNS entry whenever its IP addresses IP(R) change. Because the DNS
always contains R's current IP addresses, node I can perform a HIP
Base Exchange with R at its new IP address (steps #2-4).
Eggert & Laganier Expires January 10, 2005 [Page 7]
Internet-Draft HIP Rendezvous Extensions July 2004
One drawback of using dynamic DNS updates in this way is the cost of
updating secure zones. Re-signing an entire zone whenever the IP
addresses of one entry change places a high cost on the DNS server.
Using dynamic DNS to update HI->IP mappings may thus not be
appropriate when changes of IP addresses are frequent.
A simple, operational change could help limit the costs of frequent
DNS updates. Instead of recomputing a zone after each dynamic
update, a DNS server could aggregate the modifications and only
perform zone updates periodically. The disadvantage of this approach
is that HIP nodes may be unreachable until the DNS server distributes
the updated zone.
Another concern with using the DNS to support HIP node mobility is
the propagation time of updated DNS entries. DNS servers frequently
cache DNS responses to reduce the load on the primary servers.
During the time-to-live associated with a DNS response, DNS servers
may answer additional requests for the same DNS entry from their
local caches instead of contacting the primary servers. Thus, even
after a HIP node updates its DNS entry, the DNS can still serve the
old entry until the cached responses expire. This can lead to
communication problems, because peers may try to contact a HIP node
at an IP address it is no longer reachable at.
3.2 Mobility and Multi-Homing with Rendezvous Servers
The HIP architecture tries to greatly reduce the frequency of Dynamic
DNS updates by introducing Rendezvous Servers [2]. Instead of
registering its current set of IP addresses in its HI->IP entry in
the DNS, a HIP node may instead register the IP addresses of its
Rendezvous Servers. Because the IP addresses of Rendezvous Servers
are assumed to change only infrequently, this approach can
significantly reduce the load on DNS servers.
Rendezvous Servers maintain a mapping between the Host Identities of
HIP nodes for which they provide service and the node's current IP
addresses. HIP nodes must notify their Rendezvous Servers about any
changes in their IP addresses. This approach effectively relocates
the HI->IP information - and the burden of keeping it current - from
the DNS to the Rendezvous Servers. This can reduce update costs
under the assumption that Rendezvous Servers provide more efficient
ways of maintaining HI->IP tables.
When a packet destined for one of its HIP nodes arrives at a
Rendezvous Server, it relays the packet to one of the HIP node's
current IP addresses. Due to the specifics of the HIP, only the
first packet of a HIP Base Exchange will require such relaying [2].
Subsequent packet of the HIP Base Exchange and all further data
Eggert & Laganier Expires January 10, 2005 [Page 8]
Internet-Draft HIP Rendezvous Extensions July 2004
packets will directly flow between the HIP nodes, bypassing the
Rendezvous Server.
#3 FQDN(R) +----------+ #2 Register IP(RVS) in
+--------------------->| DNS | FQDN(R)->IP(RVS).
| +--------------------| |<------------------+
| | #4 HI(R), IP(RVS) | FQDN->HI | |
| | | FQDN->IP | |
| | +----------+ |
| | |
| | #1 Update IP(R) in HI(R)->IP(R) |
| | +--------+ whenever IP(R) changes. |
| | | RVS |<------------------------------+ |
| | | | | |
| V +->| HI->IP |--+ | |
+-----+ | +--------+ | +-----+
| |---+ +------------------------->| |
| I | #5 First Message of HIP Base Exchange | R |
| | | |
| |<--------------------------------------------| |
| |-------------------------------------------->| |
| |<--------------------------------------------| |
+-----+ #6 Remainder of HIP Base Exchange +-----+
Figure 3: HIP Lookup and Base Exchange with Rendezvous Server
Figure 3 shows a HIP lookup and Base Exchange involving a Rendezvous
Server. Here, HIP node R is using Rendezvous Server RVS. In step
#1, it updates RVS with its current IP addresses IP(R). Then, in
step #2, R registers the Rendezvous Server's IP addresses IP(RVS) in
its FQDN(R)->IP(RVS) DNS entry.
In step #3, a second HIP node I issues a DNS lookup on FQDN(R) to
obtain R's Host Identities HI(R) and IP addresses. The lookup
returns R's Host Identities HI(R) in step #4. The DNS reply also
includes the IP addresses of the Rendezvous Server IP(RVS) (instead
of IP(R), because R's current addresses are unknown to the DNS.)
In step #5, node I initiates the HIP Base Exchange. It addresses the
first packet of the HIP Base Exchange to IP(RVS). Upon receipt, the
Rendezvous Server relays the packet to one of R's current IP
addresses IP(R). The remainder of the HIP Base Exchange then occurs
directly between I and R in step #6.
When Rendezvous Servers maintain the HI->IP information, they may
support more efficient update operations compared to dynamic DNS
updates (Section 3.1). Unlike the DNS, Rendezvous Servers do not
provide a lookup service. Instead, they use the HI->IP information
Eggert & Laganier Expires January 10, 2005 [Page 9]
Internet-Draft HIP Rendezvous Extensions July 2004
to actively relay traffic between HIP nodes.
This approach changes the role of the IP addresses stored in a DNS
entry. Traditionally, nodes were directly reachable at the IP
addresses listed in their DNS entry. HIP Rendezvous Server change
this basic property by replacing the IP addresses of their client
nodes in the DNS with their own. The IP addresses in a DNS entry
hence no longer directly designate interfaces of an endpoint.
Instead, they identify interfaces of a node that can relay packets to
the endpoint.
4. HIP Extensions for Rendezvous Servers
The following sections describe HIP extensions for communication with
Rendezvous Servers. These extensions allow:
o A HIP Rendezvous Server to advertise its RVS capabilities to its
correspondents.
o A HIP node to create a Rendezvous Association (RVA) with its
Rendezvous Server, i.e., to register its current set of IP
address(es).
o two HIP nodes to establish a HIP Association (HA) between them via
one or more Rendezvous Server.
4.1 Additional Control Fields in the HIP Base Header
RVS mechanisms make use of two new Control Fields in the HIP Control
Field: RVS_CAPABLE and CONCEAL_IP Control Fields. This new fields
are used to, respectively, advertise Rendezvous Server capabilities,
and query downstream RVS for concealing source IP addresses.
4.1.1 RVS Control Field
The RVS_CAPABLE Control Field ("R") allows a Rendezvous Server to
advertise its rendezvous capabilities to the HIP nodes it associates
with.
4.1.2 CONCEAL_IP Control Field
The CONCEAL_IP Control Field ("C") is used by a HIP node to query
downstream Rendezvous Servers to conceal its IP address. The RVS
conceals the sender's IP address of a HIP packet by (1) replacing the
packet's source IP address field with its own address, and by (2)
omitting to add a FROM parameter containing the sender's IP address.
Eggert & Laganier Expires January 10, 2005 [Page 10]
Internet-Draft HIP Rendezvous Extensions July 2004
A RVS receiving a HIP packet with the CONCEAL_IP Control Field set
MUST NOT augment the packet with a FROM parameter while relaying it.
If the relaying cannot be accomplished without FROM parameter, the
RVS MUST drop the packet, and MAY notify the original sender.
4.2 Additional HIP Parameters for Communication with Rendezvous Servers
4.2.1 RVA_REQUEST Parameter Format and Processing
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Lifetime |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| RVA Type #1 | RVA Type #2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| RVA Type #n | padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type 100
Length Length in octets, excluding Type, Length and Padding
Lifetime This field encode, the desired RVA validity time.
RVA Type This field encode, in order of preference, the
preferred rendezvous service types.
4.2.2 RVA_REPLY Parameter Format and Processing
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Lifetime |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| RVA Type #1 | RVA Type #2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| RVA Type #n | padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type 102
Length Length in octets, excluding Type, Length and Padding
Lifetime This field encode the offered RVA validity time
Eggert & Laganier Expires January 10, 2005 [Page 11]
Internet-Draft HIP Rendezvous Extensions July 2004
RVA Type This field encode, in order of preference, the
preferred rendezvous service types.
The following RVA Type are defined:
Type number RVA Type
----------- --------
0 Reserved
1 RELAY_I1
2 RELAY_I1R1
3 RELAY_I1R1I2
4 RELAY_I1R1I2R2
5 RELAY_ESP_I1
6 REDIRECT_I1
4.2.3 RVA_HMAC Parameter Format and Processing
The RVA_HMAC is an OPTIONAL parameter whose only difference with the
HMAC parameter defined in [3] is the Type code:
Type 65320
Length 20
HMAC 160 low order bits of a HMAC keyed with the appropriate
HIP integrity keys (HIP_lg or HIP_gl) of the corresponding
Rendezvous Association or HIP Association. This HMAC is
computed over the HIP packet excluding RVA_HMAC and any
other following parameter. The checksum field MUST be set
to zero and the HIP header length in the HIP common header
MUST be calculated not to cover any excluded parameter when
the Authenticator field is calculated.
To allow a HIP node and any of its RVS to verify the integrity of
packets flowing between them, both use an RVA_HMAC parameter keyed
with a HMAC of HIP_lg and HIP_gl integrity keys. One RVA_HMAC SHOULD
be present on every packets flowing between a HIP node and any of its
RVS and MUST be present when FROM and TO parameters are processed.
On the receiving side, when an RVA_HMAC is validated, it SHOULD be
removed from the packet and if so, packet length and checksum MUST be
recomputed accordingly.
Eggert & Laganier Expires January 10, 2005 [Page 12]
Internet-Draft HIP Rendezvous Extensions July 2004
4.2.4 FROM Parameter Format and Processing
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Address |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type 65100 (under signature) or 65300 (after signature)
Length 16
Address An IPv6 address or an IPv4-in-IPv6 format IPv4 address
A Rendezvous Server MAY add a FROM parameter containing the original
source IP address of a HIP packet (I1, R1, I2 or R2) whose source IP
address has been rewritten. If one or more FROM parameters are
already present, the new FROM parameter MUST be appended after the
existing ones. Each time an RVS inserts a FROM parameter, it MUST
also insert additional parameters that will be used to validate this
and the subsequent HIP packets. These parameters are:
o An ECHO_REQUEST, containing a chunk of opaque data allowing to
validate, in a possible subsequent answer, a TO parameter which
MUST be protected by an ECHO_RESPONSE containing the same opaque
data.
o A valid RVA_HMAC, protecting the packet integrity.
When a HIP node validates a FROM parameter, it is removed from the
packet and recorded for later use (i.e., for building the
corresponding TO parameter to be piggybacked onto a subsequent
answer). The packet's source IP address is also replaced by the
address included in the first occurrence of FROM parameter.
For each FROM parameter, a HIP node MAY add to its replies a TO
parameter containing the IP address included in the FROM. These
replies will be sent via the RVS, which MUST remove the outer TO
parameter from the packet and replace its destination address with
the address contained in the TO parameter before relaying it.
Eggert & Laganier Expires January 10, 2005 [Page 13]
Internet-Draft HIP Rendezvous Extensions July 2004
4.2.5 TO Parameter Format and Processing
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Address |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type 65102 (under signature) or 65302 (after signature)
Length 16
Address An IPv6 address or an IPv4-in-IPv6 format IPv4 address
A HIP node MAY add one or more TO parameter containing the final
destination IP address of a HIP packet (I1, R1, I2 or R2) whose
destination IP address needs to be rewritten by an RVS. This is
essentially equivalent to loose source-routing. If one or more TO
parameters are already present, the new TO parameter MUST be appended
after the existing ones. Each time a node inserts a TO parameter, it
MUST also insert additional parameters that will be used by the RVS
for validation. These parameters are:
o An ECHO_RESPONSE, containing a chunk of opaque data allowing the
RVS to validate the address contained in the TO parameter.
o A valid RVA_HMAC, protecting the packet integrity.
When the RVS validates a TO parameter, SHALL remove it from the
packet, and SHALL replace the packet destination IP address with the
address included in the TO parameter. Packet length and checksum
MUST then be recomputed accordingly.
For each FROM parameter, a HIP node MAY add to its replies a TO
parameter containing the IP address included in the FROM. These
replies will be sent via the RVS, which MUST remove the outer TO
parameter from the packet and replace its destination address field
with the address contained in the TO parameter before relaying it.
Eggert & Laganier Expires January 10, 2005 [Page 14]
Internet-Draft HIP Rendezvous Extensions July 2004
4.2.6 VIA_RVS Parameter Format and Processing
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Address |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
. . .
. . .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Address |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type 65500
Length Variable
Address An IPv6 address or an IPv4-in-IPv6 format IPv4 address
At some point a, HIP endpoint might be in position to begin to send
HIP packets directly towards the remote HIP endpoint's IP address,
without further assistance from one or more of its RVS(s). In that
case, it MAY include in these packets a subset of the IP address(es)
of its Rendezvous Servers by either:
o Add its IP address into an existing VIA_RVS parameter situated at
the end of the HIP packet, while modifying accordingly the size of
the parameter.
o Appending a newly created VIA_RVS parameter at the end of the HIP
packet if it does not already contain a VIA_RVS parameter.
Note that the main goal of the using the VIA_RVS parameter is to
allow operators to diagnose possible issues encountered while
establishing a HIP association via a RVS.
4.3 Use of Existing HIP Messages and Parameters
4.3.1 ECHO_REQUEST and ECHO_REPLY Parameters
A FROM parameter MAY be augmented by including an ECHO_REQUEST
Eggert & Laganier Expires January 10, 2005 [Page 15]
Internet-Draft HIP Rendezvous Extensions July 2004
parameter to the carrying packet. The contents of the ECHO_REQUEST
might then be echoed back in ECHO_RESPONSE.
A TO parameter SHOULD be augmented and authenticated by including an
ECHO_REPLY parameter to the carrying packet. The contents of the
ECHO_REPLY MUST be copied from a previously received ECHO_RESPONSE.
All the HIP packets requiring RVS relaying facility to carry an
answer packet SHOULD be augmented by the RVS with an ECHO_REQUEST
parameter.
A possible packet answered via the RVS, thus requiring relaying
facility, SHOULD be authenticated by an ECHO_REPLY parameter. The
contents of the ECHO_REPLY MUST be copied from a previously received
ECHO_RESPONSE.
On the receiving side, when a HIP node validates an ECHO_REPLY
located after the signatures, it MUST remove it from the packet and
recompute packet length and checksum accordingly.
4.3.2 REA Parameter
A HIP node associated via an RVS MAY use a REA parameter to make its
correspondent aware of its veritable current IP address. If used,
the REA parameter MUST be used in conformance with the guidelines
specified in [4]. In addition, a HIP node MAY initiate the protocol
later during the base exchange by using the REA parameter in the R2
packet. This R2-with-REA packet MUST be treated as a
UPDATE-with-REA, i.e., trigger a Routability Return check by
generating and sending a new SPI stored in a NES parameter included
in an UPDATE packet.
4.3.3 NES Parameter
A HIP node receiving a REA packet later than I2 MUST perform a
Routability Return check before sending data to the new IP address.
This check is performed by replying to an incoming REA with a NES
parameter containing a new SPI to be used, as described in [4].
Eggert & Laganier Expires January 10, 2005 [Page 16]
Internet-Draft HIP Rendezvous Extensions July 2004
5. Diagram Notation
Notation Significance
-------- ------------
I, R I and R are the respective source and destination IP
addresses of the IP header
HIT-I, HIT-I and HIT-R are respectively the Initiator and the
HIT-R Responder HIT of the packet
R The RVS_CAPABLE Control Field is set into the Control
Field of the HIP header
C The CONCEAL_IP Control Field is set into the Control
Field of the HIP header
REA:I A REA parameter containing the IP address i is
present in the HIP header
FROM:I A FROM parameter containing the IP address I is present
in the HIP header
TO:I A TO parameter containing the IP address I is present
in the HIP header
VIA_RVS:RVS A VIA_RVS parameter containing IP addresses RVS
is present in the HIP header
EREQ An ECHO_REQUEST parameter is present in the HIP header
EREP An ECHO_REPLY parameter is present in the HIP header
RREQ A RVA_REQUEST parameter is present in the HIP header
RREP A RVA_REPLY parameter is present in the HIP header
6. Establishing Rendezvous Associations
A HIP node that wants to register its IP address with its RVS MAY
simply establish a HIP association with it. It MUST then keep its IP
address current with the server by sending UPDATE packets whenever
its set of IP addresses changes.
However, for the sake of economizing RVS resources, which can
possibly be used by several thousands of different HIP nodes, we
Eggert & Laganier Expires January 10, 2005 [Page 17]
Internet-Draft HIP Rendezvous Extensions July 2004
define a new sort of "soft state" HIP association called a Rendezvous
Association (RVA). In order to maintain this RVA established, a HIP
Association need not remain established.
A HIP node MAY establish an RVA with its RVS by establishing a HA
while adding an RVA_REQUEST parameter in an I2, possibly preceded by
an I1 containing the same RVA_REQUEST. The possibility offered to
initiate the protocol in I1 allows a HIP node to query a RVS for the
set of offered rendezvous service types before completing the
establishment of the Rendezvous association (in case the desired
service type isn't available on this RVS). A RVS MUST then reply
with, respectively, an R2 possibly preceded by an R1, which will both
have the RVS_CAPABLE control field set, and contain a RVA_REPLY
parameter specifying the characteristics of the offered RVA (validity
time, type, etc.). Then, the RVS and the HIP node MAY delete most of
the HIP Association state, retaining only the Lifetime, Initiator's
HIT and IP address(es), as well as HIP_lg and HIP_gl integrity keys.
When a HA is established via an RVS, the integrity of HIP packets
flowing between a HIP node and its RVS is protected by an additional
RVA_HMAC keyed with these keys.
I1(I, RVS, HIT-I,
HIT-RVS) +------+
+-------------------------->| |
|+--------------------------| |
|| R1(RVS, I, HIT-RVS, | |
|| HIT-I, R) | |
|| | RVS1 |
|| I2(I, RVS, HIT-I, | |
|| HIT-RVS, RREQ) | |
|| +----------------------->| |
|| |+-----------------------| |
|| || R2(RVS, I, HIT-RVS, +------+
|| || HIT-I, R, RREP)
|V |V
+-----+
| |
| I |
| |
+-----+
Figure 12: Establishing a Rendezvous Association
There is nothing to prevent an RVS node to advertise its RVS
capabilities to the peers it associates with, nor to establish an RVA
with another RVS.
Eggert & Laganier Expires January 10, 2005 [Page 18]
Internet-Draft HIP Rendezvous Extensions July 2004
If a HIP node wants to associate with several cascaded Rendezvous
Servers RVS_i (0 < i < n+1), it SHALL sequentially create RVAs
(RVA_i) with each of them, starting from the "nearest" (RVS_1) to the
"farthest" (RVS_n). Apart from RVA_1, a node SHOULD create any such
RVA_i (1 < i < n+1) by sending an I1 to RVS_i via each of the RVS
which precede it, i.e., RVS_j (1 < j < i).
This is achieved by using (i - 1) different TO parameters containing,
in order, the IP address of each RVS preceding RVS_i, i.e., RVS_j (1
< j < i). This process is similar to IP loose source-routing.
Hence, A RVS accepting to be part of a cascade MAY relay an incoming
I1 from one its clients to any given address and HIT. Those I1s MUST
be protected by a valid RVA_HMAC parameter.
I1(I, RVS1, HIT-I, I1(RVS1, RVS2, HIT-I,
HIT-RVS2, TO:RVS2) +------+ HIT-RVS2, EREQ1)
+-------------------------->| |----------------------------+
|+--------------------------| |<--------------------------+|
|| R1(RVS1, I, HIT-RVS2, | | R1(RVS2, RVS1, ||
|| HIT-I, R, EREQ1) | | HIT-RVS2, HIT-I, ||
|| | RVS1 | R, EREP1) ||
|| I2(I, RVS1, HIT-I, | | ||
|| HIT-RVS2, RREQ, | | I2(RVS1, RVS2, HIT-I, ||
|| EREP1, TO:RVS2) | | HIT-RVS2, RREQ, EREQ1) ||
|| +----------------------->| |------------------------+ ||
|| |+-----------------------| |<----------------------+| ||
|| || R2(RVS1, I, HIT-RVS2, +------+ R2(RVS2, RVS1, || ||
|| || HIT-I, R, RREP, HIT-RVS2, HIT-I, || ||
|| || EREQ1) R, RREP, EREP1) || ||
|V |V |V |V
+-----+ +------+
| | | |
| I | | RVS2 |
| | | |
+-----+ +------+
Figure 13: Establishing Cascaded Rendezvous Associations
7. Establishing HIP Associations via Rendezvous Servers
7.1 Sending a Redirect in Reply to I1
Instead of having the RVS relay incoming I1s to the correct
Responder, one possibility is to answer with a redirect packet when a
HIP packet destined for one of the Rendezvous Server's HIP nodes
arrives. This redirect packet contains the IP address and packet
Eggert & Laganier Expires January 10, 2005 [Page 19]
Internet-Draft HIP Rendezvous Extensions July 2004
signature of the Responder.
The Responder cannot sign the redirect packets delivered by the RVS
in real time. When the RVA is set up, the Responder sends the signed
redirect packet to the RVS, who stores it until the RVA expires.
This redirect packet can be implemented by using a REA parameter
embedded into a NOTIFY packet that includes a SIGNATURE2 parameter
for protection. Note that this may expose the Initiator to replay
attacks, but this is not very different from the situation where the
Initiator receives a signed R1 whose signature omits Receiver HIT.
However, because an initiator might be unaware of the HI of the
responder, knowing only its HIT, it might not be able to verify this
SIGNATURE2. Hence, it is necessary to include in this redirect
packet the HI of the responder, thus allowing the initiator to verify
the signatures based on a previously known HIT.
7.2 Relaying I1 Only
7.2.1 Passing I1 Through an ESP SA
If a HIP node and one of its Rendezvous Servers maintain a HIP
Association, the Rendezvous Server MAY tunnel I1s incoming to this
node's HIT into the corresponding ESP SA. The main drawbacks of this
approach are that, (1) middleboxes cannot see the encrypted I1
passing from an RVS to its clients, and (2) the source IP address of
I1 is lost. In particular, (2) implies that the RVS MUST transmit to
the responder the original source IP address by either of the
following:
o add a FROM parameter to the HIP header
o include the whole original IP header in the ESP payload (very
similar to ESP tunnel mode)
o route back the subsequent R1 via the RVS
Eggert & Laganier Expires January 10, 2005 [Page 20]
Internet-Draft HIP Rendezvous Extensions July 2004
ESP(RVS, R,
I1(I, RVS, HIT-I,
I1(I, RVS, HIT-I, HIT-R) +---------+ HIT-R, FROM:I))
+----------------------->| |--------------------+
| | RVS | |
| | | |
| +---------+ |
| V
+-----+ R1(R, I, HIT-R, HIT-I, REA:R, VIA_RVS:RVS) +-----+
| |<---------------------------------------------| |
| | | |
| I | I2(I, R, HIT-I, HIT-R) | R |
| |--------------------------------------------->| |
| |<---------------------------------------------| |
+-----+ R2(R, I, HIT-R, HIT-I) +-----+
Figure 14: Rendezvous Server Forwarding I1 Through an ESP SA
7.2.2 Rewriting I1 Destination IP Address
When a HIP packet destined for one of its HIP nodes arrives at a
Rendezvous Server, it relays the packet to one of the HIP node's
current IP addresses. In most case, it is expected that only the
first packet of a HIP Base Exchange (i.e., I1) will require such
relaying [2]. Subsequent packet of the HIP Base Exchange and all
further data packets will directly flow between the HIP nodes,
bypassing the Rendezvous Server.
In the simplest case, the Rendezvous Server can relay an I1 towards
its true destination by merely replacing the destination IP address
of the I1 by one of the destination HIT owner's IP address(es).
Note, however, that such I1s might be subject to egress filtering on
the Rendezvous Server's network [8], thus causing I1 packet to be
dropped (source IP address does not belong to the RVS network).
Eggert & Laganier Expires January 10, 2005 [Page 21]
Internet-Draft HIP Rendezvous Extensions July 2004
I1(I, R, HIT-I,
I1(I, RVS, HIT-I, HIT-R) +---------+ HIT-R, FROM:I)
+----------------------->| |--------------------+
| | RVS | |
| | | |
| +---------+ |
| V
+-----+ R1(R, I, HIT-R, HIT-I, REA:R, VIA_RVS:RVS) +-----+
| |<---------------------------------------------| |
| | | |
| I | I2(I, R, HIT-I, HIT-R) | R |
| |--------------------------------------------->| |
| |<---------------------------------------------| |
+-----+ R2(R, I, HIT-R, HIT-I) +-----+
Figure 15: Rendezvous Server Rewriting I1 Destination IP Address
7.2.3 Rewriting I1 Source and Destination IP Addresses
Because of egress filtering, a HIP Rendezvous Server might need to
replace the original source IP address of an I1 by its own IP
address, thus concealing the Initiator's IP address to the Responder.
While this might be desirable, one of the extension described in this
document allows a Rendezvous Server to piggy-back incoming HIP
packets with an OPTIONAL FROM parameter containing the original
source IP address of the packet. A HIP node receiving a packet
containing such a FROM parameter has two possibilities for answering
back. It might answer back either:
o Directly to the IP address included in the FROM parameter, thus
disclosing its IP address.
o Via the Rendezvous Server IP address, adding to the HIP header a
TO parameter containing the IP address included in the FROM
parameter, thus being able to conceal its IP address to its
correspondent.
Eggert & Laganier Expires January 10, 2005 [Page 22]
Internet-Draft HIP Rendezvous Extensions July 2004
I1(I, RVS, HIT-I,
I1(I, RVS, HIT-I, HIT-R) +---------+ HIT-R, FROM:I)
+----------------------->| |--------------------+
| | RVS | |
| | | |
| +---------+ |
| V
+-----+ R1(R, I, HIT-R, HIT-I, REA:R, VIA_RVS:RVS) +-----+
| |<---------------------------------------------| |
| | | |
| I | I2(I, R, HIT-I, HIT-R) | R |
| |--------------------------------------------->| |
| |<---------------------------------------------| |
+-----+ R2(R, I, HIT-R, HIT-I) +-----+
Figure 16: Rendezvous Server Rewriting I1 Source and Destination IP
Addresses
7.3 Relaying Additional HIP Packets
It might be useful to relay further HIP packets (i.e., R1, I2 and R2)
via the RVS, for example for concealing HIP nodes IP addresses until
they have authenticated each other.
Because these packets are larger than I1 (they contain public keys
and signatures), the relaying of such packet create an opportunity
for denial of service attacks. To defend against these attacks, the
Rendezvous Server needs to differentiate between legitimate HIP
packets (i.e., I1 and subsequent HIP packets triggered by an I1) and
illegitimate ones.
For the sake of reducing the load incurred on the RVS, an RVS is not
required to keep track of IP addresses and other pieces of state
associated with ongoing HIP exchanges. Such behavior is OPTIONAL.
Instead, the relaying facility MAY make use of ECHO_REQUEST and
ECHO_RESPONSE parameters.
Each time a packet is being relayed, the RVS MAY augment it with an
ECHO_REQUEST parameter containing a chunk of opaque data. The
receiver of such a packet SHOULD augment any packet answering to this
packet with an ECHO_REPLY parameter containing the same chunk of
opaque data. This opaque data allows an RVS to find and validate the
answered packet IP addresses and HITs. When successfully validated,
ECHO_REPLY parameters SHOULD be removed from the packet before
relaying.
Eggert & Laganier Expires January 10, 2005 [Page 23]
Internet-Draft HIP Rendezvous Extensions July 2004
7.3.1 Concealing the Responder IP Address
As mentioned before, a Responder MAY want to conceal its IP
address(es) to an Initiator whose Host Identity has not yet been
validated by an I2. Such a Responder SHOULD set the CONCEAL_IP
Control Field in the HIP packets (R1 and R2) it sends. The
Rendezvous Server then MUST replace the source IP address of relayed
HIP packets with its own one without appending a FROM parameter.
The Responder MUST NOT include a REA parameter before it receives a
valid I2. This situation also requires the Responder to send back
via the RVS an R1 to the Initiator. Then, the Initiator will sends
via the RVS an I2 to the Responder, causing the Responder to send
directly to the Initiator an R2 containing a REA parameter with its
current IP address(es).
[4] does not describe any method to initiate the readdressing
protocol in an R2 (by adding a REA parameter). A Responder MAY
initiate the readdressing protocol in R2. The Initiator SHOULD then
perform a Routability Return check by answering with an UPDATE packet
including a NES. The Responder will then use the new SPI to sends
ESP packet to the Initiator.
Eggert & Laganier Expires January 10, 2005 [Page 24]
Internet-Draft HIP Rendezvous Extensions July 2004
I1(I, RVS, I1(RVS, R, HIT-I,
HIT-I, HIT-R) +---------+ HIT-R, FROM:I, EREQ)
+-------------------->| |----------------------+
|+--------------------| |<--------------------+|
|| R1(RVS, I, HIT-R, | | R1(R, RVS, HIT-R, ||
|| HIT-I, C, EREQ) | | HIT-I, C, TO:I, ||
|| | RVS | EREP) ||
|| | | ||
|| | | I2(RVS, R, HIT-I, ||
|| I2(I, RVS, HIT-I, | | HIT-R, FROM:I, ||
|| HIT-R, EREP) | | EREQ) ||
|| +----------------->| |-------------------+ ||
|| | +---------+ | ||
|V | V |V
+-----+ R2(R, I, HIT-R, HIT-I, REA:R, EREP) +-----+
| |<--------------------------------------------| |
| |-------------------------------------------->| |
| | UPDATE(I, R, HIT-I, HIT-R, NES:SPI-I) | |
| I | | R |
| | ESP(R, I, SPI-R) | |
| |<--------------------------------------------| |
| |-------------------------------------------->| |
+-----+ ESP(I, R, SPI-I) +-----+
Figure 17: Responder Concealing its IP address
7.3.2 Concealing the Initiator IP Address
Similarly, an Initiator might want to conceal its IP address(es) to a
Responder whose Host Identity has not yet been validated by R2. Such
an Initiator set the CONCEAL_IP Control Field in the HIP packets (I1
and I2) it sends.
The Rendezvous Server then replace the source IP address of relayed
HIP packets with its own one without appending a FROM parameter.
The Initiator MUST NOT include a REA parameter before he received a
valid I2. This situation also requires the Responder to send back
via the RVS an R1 to the Initiator. Then, the Initiator will sends
via the RVS an I2 to the Responder. This will cause the Responder to
send via the RVS to the Initiator an R2 containing a REA parameter
with its current IP address(es).
[4] does not describe any method to initiate the readdressing
protocol in an R2 (by adding a REA parameter). A Responder MAY
initiate the readdressing protocol in R2. The Initiator SHOULD then
Eggert & Laganier Expires January 10, 2005 [Page 25]
Internet-Draft HIP Rendezvous Extensions July 2004
perform a Routability Return check by answering with an UPDATE packet
including a NES. The Responder will then use the new SPI to sends
ESP packet to the Initiator.
The Initiator should then initiate a "classic" readdressing protocol
by sending UPDATE packets including a REA parameter, as per [4].
I1(RVS, R, HIT-I,
I1(I, RVS, HIT-I, HIT-R, C) +-----+ HIT-R, C, EREQ)
+-------------------------->| |---------------------------+
|+--------------------------| |<-------------------------+|
|| R1(RVS, I, HIT-R, | | R1(R, RVS, HIT-R, ||
|| HIT-I, REA:R, EREQ) | | HIT-I, REA:R, EREP) ||
|| | RVS | ||
|| I2(I, RVS, HIT-I, | | I2(RVS, R, HIT-I, ||
|| HIT-R, C, EREP) | | HIT-R, C, EREQ ||
|| +----------------------->| |------------------------+ ||
|| |+-----------------------| |<----------------------+| ||
|| || R2(RVS, I, HIT-R, +-----+ R2(R, RVS, HIT-R, || ||
|| || HIT-I, REA:R, EREQ) HIT-I, REA:R, EREP)|| ||
|V |V |V |V
+-----+ +-----+
| | | |
| I | | R |
| | | |
+-----+ +-----+
Figure 18: Initiator Concealing its IP address
At this point, the functionality described here has not been verified
to not introduce new opportunities for DoS and DDoS attacks, because
the responder is unaware of the original source IP address of a
packet. Hence, it is questionable if a responder accepting concealed
initiator(s) should be able, while establishing an RVA with it RVS,
to negotiate a rate-limit on the throughput of relayed I1s. This
might be done by adding a Rate Limit field in the RVA_REQUEST and
RVA_REPLY parameter.
7.3.3 Concealing Initiator and Responder IP Addresses
This situation combines the two variant of IP address concealing
described previously: both Initiator and Responder want to conceal
their IP addresses until their correspondent's Host Identity is
validated by, respectively, a R2 and an I2. All the HIP packets
prior to, and including, R2, MUST be exchanged via the RVS with the
CONCEAL_IP Control Field set.
Eggert & Laganier Expires January 10, 2005 [Page 26]
Internet-Draft HIP Rendezvous Extensions July 2004
The Rendezvous Server then replace the source IP address of relayed
HIP packets with its own one without appending a FROM parameter.
Both Initiator and Responder MUST NOT include a REA parameter before
they received and validated, respectively, an R2 or a I2. This
situation also requires the Responder to send back via the RVS R1 and
R2 to the Initiator. Then, the Initiator will sends via the RVS an
I2 to the Responder. This will cause the Responder to send via the
RVS to the Initiator an R2 containing a REA parameter with its
current IP address(es).
[4] does not describe any method to initiate the readdressing
protocol in an R2 (by adding a REA parameter). A Responder MAY
initiate the readdressing protocol in R2. The Initiator SHOULD then
(1) perform a Routability Return check by answering with an UPDATE
packet including a NES as in [4], and (2), SHOULD initiate a
readdressing protocol with the same update, as in [4]. The Initiator
and Responder MUST then use the new SPIs for future ESP packets.
I1(RVS, R, HIT-I,
I1(I, RVS, HIT-I, HIT-R, C) +-----+ HIT-R, C, EREQ)
+-------------------------->| |---------------------------+
|+--------------------------| |<-------------------------+|
|| R1(RVS, I, HIT-R, | | R1(R, RVS, HIT-R, ||
|| HIT-I, C, EREQ) | | HIT-I, C, EREP) ||
|| | RVS | ||
|| I2(I, RVS, HIT-I, | | I2(RVS, R, HIT-I, ||
|| HIT-R, C, EREP) | | HIT-R, C, EREQ ||
|| +----------------------->| |------------------------+ ||
|| |+-----------------------| |<----------------------+| ||
|| || R2(RVS, I, HIT-R, +-----+ R2(R, RVS, HIT-R, || ||
|| || HIT-I, C, EREQ) HIT-I, REA:R, EREP)|| ||
|V |V |V |V
+-----+ +-----+
| | | |
| I | | R |
| | | |
+-----+ +-----+
Figure 19: Initiator and Responder Concealing their IP addresses
7.4 Cascading Rendezvous Servers
In some situations, it might be useful to use cascaded Rendezvous
Servers to establish RVS associations. A typical scenario would be a
small number of "trusted" Rendezvous Servers and a larger number of
Eggert & Laganier Expires January 10, 2005 [Page 27]
Internet-Draft HIP Rendezvous Extensions July 2004
"untrusted" Rendezvous Servers. Only the trusted Rendezvous Servers
are aware of the IP addresses of the Responders. The untrusted
servers know only the IP addresses of other (un)trusted Rendezvous
Servers. Untrusted Rendezvous Servers are changed periodically, in
order to lower the opportunity for flooding-type attacks on their IP
addresses.
In the case of cascaded Rendezvous Servers, the parameters added to
the HIP base exchange, like FROM, TO, VIA_RVS, ECHO_REQUEST/REPLY or
RVA_HMAC, MUST be "aggregated" or "clustered" on a per-type basis.
This means that, when an RVS needs to add onto a HIP packet a
parameter which is already present in it, this parameter MUST be
added just after the existing parameter(s) of the same type. For
instance, a FROM parameter MUST be added just after the existing
FROM(s) parameter(s). The same applies to TO, VIA_RVS,
ECHO_REQUEST/REPLY or RVA_HMAC.
Another solution to cascaded Rendezvous Servers may be to encapsulate
the original packet into a PAYLOAD and then piggyback it with
additional parameters. This scheme has not been evaluated further.
I1(RVS2, R, HIT-I,
I1(I, RVS, I1(RVS1, RVS2, HIT-R, EREQ1,
HIT-I, HIT-I, HIT-R, EREQ2, FROM:I,
HIT-R) +------+ EREQ1, FROM:I) +------+ FROM:RVS1)
+--------->| |------------------->| |---------+
| | RVS1 | | RVS2 | |
| +--------| |<-------------------| |<------+ |
| | +------+ R1(RVS2, RVS2, +------+ | |
| | HIT-I, HIT-R, | |
| | EREP1, EREQ2, | |
| | TO:I) | |
| | R1(RVS1, I, HIT-R, R1(R, RVS2, HIT-R, | |
| | HIT-I, REA:R, HIT-I, REA:R, | |
| | EREQ2, EREQ1) EREP1, EREP2, | |
| | TO:I, TO:RVS2) | |
| V | V
+-----+ I2(I, R, HIT-I, HIT-R, EREP2, EREP1) +-----+
| |-------------------------------------------->| |
| I |<--------------------------------------------| R |
+-----+ R2(R, I, HIT-R, HIT-I) +-----+
Figure 20: Two Cascaded Rendezvous Servers Relaying an I1-R1 Message
Pair
Eggert & Laganier Expires January 10, 2005 [Page 28]
Internet-Draft HIP Rendezvous Extensions July 2004
7.5 Opportunistic Initiators
Because an opportunistic initiator uses the unspecified IPv6 address
(i.e., ::0) as a placeholder for the Responder HIT in I1s it sends,
an RVS cannot use this Responder HIT to demultiplex incoming
"opportunistic" I1s. The only way to properly relay such an
opportunistic I1 to the appropriate responder is to lease per-client
(hence per-HIT) relay IP addresses. That way, the RVS MAY use the
destination IP address as an indicator to determine the correct
responder.
In order to avoid trivial spoofing attacks with R1s, a HIP node
receiving an opportunistic I1 from a Rendezvous Server SHOULD reply
with its R1 via the same Rendezvous Server.
7.6 Implication on the HIP integrity checks
The establishment of HIP associations through one or more Rendezvous
Servers causes HIP packets flowing between the HIP nodes to be
modified during transmission. Several kinds of modifications to both
the IP and HIP headers are possible. The HIP protocol uses two kinds
of packet integrity checks: hop-by-hop and end-to-end. The HIP
checksum is a hop-by-hop check and SHOULD be verified and recomputed
by each of the on-path HIP middleboxes (e.g., Rendezvous Servers).
The HMAC and SIGNATURE are end-to-end checks and MUST be computed by
the sender and verified by the receiver.
7.6.1 Checksum
The checksum field of a HIP header to be modified MUST be verified
before applying the modification and recomputed accordingly after.
7.6.2 HMAC and SIGNATURE
The HMAC and SIGNATURE field of a HIP header MUST be computed and
verified based on a "sender view" or "receiver view" of the HIP
header. In particular, this implies that SIGNATURE and HMAC MUST NOT
cover FROM and TO parameters added or removed by Rendezvous Servers
and that the HIP pseudo-header used to compute and verify them MUST
contain the IP addresses as seen by the remote HIP peer. In case of
IP address concealment, this means that the IP address(es) of the
Rendezvous Servers MUST be used in the pseudo-header in place of the
IP address(es) of the end hosts.
7.6.3 Example
Here is an example showing how to compute the different integrity
checks (end-to-end and hop-by-hop) when two Rendezvous Servers are
Eggert & Laganier Expires January 10, 2005 [Page 29]
Internet-Draft HIP Rendezvous Extensions July 2004
cascaded and when both peers conceals their IP addresses (packet
flowing along the path I -> RVS1 -> RVS2 -> R)
End-to-end integrity checks: HMAC and SIGNATURE are computed with a
pseudo-header containing (two times) RVS1 as place holder for source
and destination IP addresses. The rationale being that the initiator
is concealing its IP address behind that of RVS1. Therefore, R will
verify the signature using RVS1 as the source IP address in the
pseudo-header. Similarly, the responder is concealing its IP address
behind that of RVS1, so I will verify the signature using RVS1 as a
source IP address in the pseudo-header.
hop-by-hop integrity checks: Checksum is computed hop-by-hop; first
with I and RVS1, then with RVS1 and RVS2, and finally with RVS2 and
R.
8. Security Considerations
The security aspects of different HIP rendezvous mechanisms are
currently being investigated. They will be discussed in a future
revision of this document.
9. Acknowledgments
The following people have provided thoughtful and helpful discussions
and/or suggestions that have improved this document: Marcus Brunner,
Tom Henderson, Miika Komu, Mika Kousa, Pekka Nikander, Simon Schuetz,
Tim Shepard, Kristian Slavov, Martin Stiemerling, and Juergen
Quittek.
10. References
10.1 Normative References
[1] Mockapetris, P., "Domain names - concepts and facilities", STD
13, RFC 1034, November 1987.
[2] Moskowitz, R., "Host Identity Protocol Architecture",
draft-moskowitz-hip-arch-05 (work in progress), October 2003.
[3] Moskowitz, R., Nikander, P. and P. Jokela, "Host Identity
Protocol", draft-moskowitz-hip-09 (work in progress), February
2004.
[4] Nikander, P., "End-Host Mobility and Multi-Homing with Host
Identity Protocol", draft-nikander-hip-mm-01 (work in progress),
January 2004.
Eggert & Laganier Expires January 10, 2005 [Page 30]
Internet-Draft HIP Rendezvous Extensions July 2004
[5] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
[6] Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic
Updates in the Domain Name System (DNS UPDATE)", RFC 2136, April
1997.
[7] Wellington, B., "Secure Domain Name System (DNS) Dynamic
Update", RFC 3007, November 2000.
[8] Killalea, T., "Recommended Internet Service Provider Security
Services and Procedures", BCP 46, RFC 3013, November 2000.
[9] Ferguson, P. and D. Senie, "Network Ingress Filtering: Defeating
Denial of Service Attacks which employ IP Source Address
Spoofing", BCP 38, RFC 2827, May 2000.
10.2 Informative References
[10] Saltzer, J., "On the Naming and Binding of Network
Destinations", RFC 1498, August 1993.
[11] Kent, S. and R. Atkinson, "Security Architecture for the
Internet Protocol", RFC 2401, November 1998.
[12] Klensin, J., "Role of the Domain Name System (DNS)", RFC 3467,
February 2003.
[13] Nikander, P., "A Bound End-to-End Tunnel (BEET) mode for ESP",
draft-nikander-esp-beet-mode-00 (work in progress), October
2003.
Authors' Addresses
Lars Eggert
NEC Network Laboratories
Kurfuersten-Anlage 36
Heidelberg 69115
DE
Phone: +49 6221 90511 43
Fax: +49 6221 90511 55
EMail: lars.eggert@netlab.nec.de
URI: http://www.netlab.nec.de/
Eggert & Laganier Expires January 10, 2005 [Page 31]
Internet-Draft HIP Rendezvous Extensions July 2004
Julien Laganier
Sun Labs (Sun Microsystems) & LIP (CNRS/INRIA/ENSL/UCBL)
180, Avenue de l'Europe
Saint Ismier CEDEX 38334
FR
Phone: +33 476 188 815
EMail: ju@sun.com
URI: http://research.sun.com/
Appendix A. Document Revision History
+-----------+-------------------------------------------------------+
| Revision | Comments |
+-----------+-------------------------------------------------------+
| 00 | Compared to draft-eggert-hip-rendezvous-00: Minor |
| | fixes to figures and their descriptive text. Added |
| | RVS protocol specification. Removed sections related |
| | to communications between HIP and non-HIP nodes. Use |
| | boilerplate from RFC 3668. |
+-----------+-------------------------------------------------------+
Eggert & Laganier Expires January 10, 2005 [Page 32]
Internet-Draft HIP Rendezvous Extensions July 2004
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2004). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Eggert & Laganier Expires January 10, 2005 [Page 33]
Html markup produced by rfcmarkup 1.129c, available from
https://tools.ietf.org/tools/rfcmarkup/